fix: use alt mirrors for trivy db (#89)

* fix: use alt mirrors for trivy db * rm cache dir * added to standard lint * schedule
miracum · Oct 23, 2024 · a609c55 · a609c55
1 parent 1748b6a
commit a609c55
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 19 deletions.
diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml
@@ -7,6 +7,10 @@ defaults:
   run:
     shell: bash
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 on:
   workflow_call:
     inputs:
@@ -234,31 +238,13 @@ jobs:
           wget https://github.com/aquasecurity/trivy/releases/download/v0.56.0/trivy_0.56.0_Linux-64bit.deb
           sudo dpkg -i trivy_0.56.0_Linux-64bit.deb
 
-      - name: Check trivy db sha
-        id: trivy-db-sha
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
-          headers='Accept: application/vnd.github+json'
-          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
-          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
-          echo "Trivy DB sha256:${sha}"
-          echo "sha=${sha}" >> "${GITHUB_OUTPUT}"
-
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-        with:
-          path: "${{ github.workspace }}/.cache/trivy"
-          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db-sha.outputs.sha }}
-
       - name: Create Trivy vulnerability attestation
         if: ${{ inputs.enable-trivy-scan }}
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           trivy image \
             --exit-code=0 \
-            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=cosign-vuln \
             --output=trivy-vuln-attestation.json \
             --ignore-unfixed="${{ inputs.trivy-ignore-unfixed }}" \
@@ -284,7 +270,6 @@ jobs:
         run: |
           trivy image \
             --exit-code=0 \
-            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=template \
             --output=trivy-pr-report.md \
             --template="@trivy-pr-report.md.tpl" \

diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml
@@ -7,6 +7,10 @@ defaults:
   run:
     shell: bash
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 on:
   workflow_call:
     inputs:

diff --git a/.github/workflows/standard-schedule.yaml b/.github/workflows/standard-schedule.yaml
@@ -20,6 +20,10 @@ on:
         description: "The GitHub workflow token used to push to ghcr.io. Also used by MegaLinter"
         required: true
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 jobs:
   check-links:
     name: check links using lychee