Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add cron job to cache trivy db #1918

Merged
merged 1 commit into from
Nov 8, 2024
Merged

ci: add cron job to cache trivy db #1918

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/actions/restore_trivy_cache/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: "Steps to restore trivy cache"
description: "Steps to restore Trivy cache under ~/.cache/trivy"

runs:
using: "composite"
steps:
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Restore trivy cache directory
uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
- name: Set up trivy cache directory
run: |
mkdir -p ~/.cache/trivy
cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy
shell: bash
3 changes: 3 additions & 0 deletions .github/workflows/e2e-aks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ jobs:
# Container Registry:
az account get-access-token --scope https://containerregistry.azure.net/.default --output none

- name: Restore Trivy cache
uses: ./.github/actions/restore_trivy_cache

- name: Dependencies e2e
run: |
mkdir -p $GITHUB_WORKSPACE/bin
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/e2e-cli.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ jobs:
go-version: "1.22"
- name: Run tidy
run: go mod tidy
- name: Restore Trivy cache
uses: ./.github/actions/restore_trivy_cache
- name: Build CLI
run: make
- name: Check build
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/e2e-k8s.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ jobs:
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

- name: Restore Trivy cache
uses: ./.github/actions/restore_trivy_cache
- name: Bootstrap e2e
run: |
mkdir -p $GITHUB_WORKSPACE/bin
Expand Down
11 changes: 2 additions & 9 deletions .github/workflows/scan-vulns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,8 @@ jobs:
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH

- name: Download vulnerability database
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
max_attempts: 3
retry_on: error
timeout_seconds: 30
retry_wait_seconds: 5
command: |
trivy image --download-db-only
- name: Restore Trivy cache
uses: ./.github/actions/restore_trivy_cache

- name: Run trivy on git repository
run: |
Expand Down
42 changes: 42 additions & 0 deletions .github/workflows/update-trivy-cache.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Update Trivy Cache

on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
binbin-li marked this conversation as resolved.
Show resolved Hide resolved
workflow_dispatch:

permissions: read-all

jobs:
update-trivy-db:
runs-on: ubuntu-latest
if: ${{ github.ref == github.event.repository.default_branch }}
steps:
- name: Setup oras
uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1

- name: Get current date
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

- name: Prepare DB directory
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db

- name: Download vulnerability database
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
max_attempts: 60
retry_on: error
timeout_seconds: 30
retry_wait_seconds: 60
command: |
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz

- name: Cache DBs
uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/.cache/trivy
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
key: cache-trivy-${{ steps.date.outputs.date }}
19 changes: 0 additions & 19 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -467,25 +467,6 @@ e2e-trivy-setup:
curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/trivy/trivy.tar.gz
tar -zxf .staging/trivy/trivy.tar.gz -C .staging/trivy

# Download vulnerability database in retry mode
max_retries=3; \
attempt=1; \
wait_time=2; \
while [ $$attempt -le $$max_retries ]; do \
echo "Attempt $$attempt of $$max_retries..."; \
if .staging/trivy/trivy image --download-db-only; then \
break; \
fi; \
if [ $$attempt -eq $$max_retries ]; then \
echo "Failed after $$max_retries attempts."; \
exit 1; \
fi; \
echo "Failed. Retrying in $$wait_time seconds..."; \
sleep $$wait_time; \
wait_time=$$(( wait_time * 2 )); \
attempt=$$(( attempt + 1 )); \
done

e2e-schemavalidator-setup:
rm -rf .staging/schemavalidator
mkdir -p .staging/schemavalidator
Expand Down
Loading