ci: fix rate-limit trivy issue (#4184)

ory · Oct 31, 2024 · 25f17e7 · 25f17e7
1 parent b294804
commit 25f17e7
Showing 1 changed file with 33 additions and 16 deletions.
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -1,5 +1,6 @@
 name: Docker Image Scanners
 on:
+  workflow_dispatch:
   push:
     branches:
       - "master"
@@ -9,27 +10,47 @@ on:
     branches:
       - "master"
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   scanners:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Env
         id: vars
         shell: bash
         run: |
           echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build images
         shell: bash
         run: |
           IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+
+      # Add GitHub authentication for Trivy
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Configure Trivy
+      - name: Configure Trivy
+        run: |
+          mkdir -p $HOME/.cache/trivy
+          echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
+          echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
       - name: Anchore Scanner
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v5
         id: grype-scan
         with:
           image: oryd/kratos:${{ env.SHA_SHORT }}
@@ -45,18 +66,10 @@ jobs:
           echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
-      #      - name: Kubescape scanner
-      #        uses: kubescape/github-action@main
-      #        id: kubescape
-      #        with:
-      #          verbose: true
-      #          format: pretty-printer
-      #          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
-      #          image: oryd/kratos:${{ env.SHA_SHORT }}
-      #          severityThreshold: critical
+
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
@@ -67,9 +80,13 @@ jobs:
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret,misconfig"
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: "true"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
+
       - name: Dockle Linter
-        uses: erzz/dockle-action@v1.3.2
+        uses: erzz/dockle-action@v1
         if: ${{ always() }}
         with:
           image: oryd/kratos:${{ env.SHA_SHORT }}