From 1b8b83dcc27a38f7d5506919fcea6945aa29b3b8 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Tue, 8 Oct 2024 10:05:39 +0600 Subject: [PATCH] docs: add usage info about `action/cache` for trivy databases (#397) * docs: add info about using `action/cache` for `trivy-db` * docs: add info about trivy-java-db and trivy-checks --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/README.md b/README.md index 2a2ca84..54498d5 100644 --- a/README.md +++ b/README.md @@ -123,6 +123,56 @@ jobs: severity: 'CRITICAL,HIGH' ``` +### Using cache for Trivy databases +Recently, there has been an increase in cases of receiving the `TOOMANYREQUESTS` error when downloading the Trivy databases (`trivy-db`, `trivy-java-db` and `trivy-checks`). + +If you’re performing multiple scans, it makes sense to use [action/cache](https://github.com/actions/cache) to cache one or more databases. + +The example below saves the `trivy-db` for each day in the cache: + +```yaml +name: build +on: + push: + branches: + - main + pull_request: + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + + ## To avoid the trivy-db becoming outdated, we save the cache for one day + - name: Get data + id: date + run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Restore trivy cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + cache-dir: "./cache" + + ## Trivy-db uses `0600` permissions. + ## But `action/cache` use `runner` user by default + ## So we need to change the permissions before caching the database. + - name: change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db +``` + ### Using Trivy with GitHub Code Scanning If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml