Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trivy vulnerability DB download fails during image scan #157

Open
pankajmouriyakong opened this issue Sep 19, 2024 · 0 comments · May be fixed by #184
Open

Trivy vulnerability DB download fails during image scan #157

pankajmouriyakong opened this issue Sep 19, 2024 · 0 comments · May be fixed by #184
Assignees

Comments

@pankajmouriyakong
Copy link
Contributor

pankajmouriyakong commented Sep 19, 2024

Summary

GitHub container registry randomly hitting api rate limit causing intermittent issue when downloading Trivy container CIS image / db and resulting in downstream scans to fail.

Options

  1. Skip cache by default and always leverage upstream DB
  • As an emergency failure in case of upstream hosting environment flakiness / failures, there won't be caches since they are expired and skipped
  1. Option to override default [<run_id>_<attempt_id>] to make it save unique caches in matrix job
    a. specify option to override cache key as input
    b. Detect if running in matrix context and generate unique caches based on some parameter.
  • Either way, this is also NOT recommended since multiple cache keys might exhaust Github default cache limits of 10GB since each cache key needs to be unique for run/attempt/matrix-input combination
  1. Host a vuln DB mirror as Kong repo and use it as the DB URL override
  • Overhead of effort and maintenance to maintain a list of updated offline Trivy vulnerability DB and distributing them
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants