fix: use cache for scan

Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki <[email protected]>
daos-stack · Oct 25, 2024 · 0dd7302 · 0dd7302
1 parent 401f346
commit 0dd7302
Showing 1 changed file with 42 additions and 2 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -16,9 +16,40 @@ on:
 permissions: {}
 
 jobs:
-  build:
+  update-trivy-db:
+    name: Update Trivy DB
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
+  scan:
     name: Scan with Trivy
-    runs-on: ubuntu-20.04
+    needs: update-trivy-db
+    runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
@@ -31,6 +62,9 @@ jobs:
           scan-type: 'fs'
           scan-ref: '.'
           trivy-config: 'utils/trivy/trivy.yaml'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
 
       - name: Prepare the report to be uploaded to the GitHub artifact store
         run: |
@@ -57,6 +91,9 @@ jobs:
           scan-ref: '.'
           trivy-config: 'utils/trivy/trivy.yaml'
           skip-setup-trivy: true
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
@@ -77,3 +114,6 @@ jobs:
           scan-ref: '.'
           trivy-config: 'utils/trivy/trivy.yaml'
           skip-setup-trivy: true
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true