From da995e47093cebef56843ae8e7806df56524ff9b Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Wed, 6 Nov 2024 19:21:35 +0800 Subject: [PATCH] Update scan-vulns.yaml --- .github/workflows/scan-vulns.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index bcfc1a563..ec5033784 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -54,10 +54,15 @@ jobs: wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz echo "$(pwd)" >> $GITHUB_PATH + + - name: Set up trivy cache directory + run: | + mkdir -p ~/.cache/trivy + cp -r ${{ github.workspace }}/.cache/trivy ~/.cache/trivy - name: Run trivy on git repository run: | - trivy fs --skip-db-update --cache-dir ${{ github.workspace }}/.cache/trivy/ --format table --ignore-unfixed --scanners vuln . + trivy fs --skip-db-update --format table --ignore-unfixed --scanners vuln . - name: Build docker images run: | @@ -66,10 +71,10 @@ jobs: - name: Run trivy on images for all severity run: | for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --skip-db-update --cache-dir ${{ github.workspace }}/.cache/trivy/ --ignore-unfixed --vuln-type="os,library" "${img}" + trivy image --skip-db-update --ignore-unfixed --vuln-type="os,library" "${img}" done - name: Run trivy on images and exit on HIGH/CRITICAL severity run: | for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --skip-db-update --cache-dir ${{ github.workspace }}/.cache/trivy/ --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "${img}" + trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "${img}" done