add a new action for trivy's cache (#64)

Consensys · Nov 7, 2024 · 63d7127 · 63d7127
1 parent 4b80446
commit 63d7127
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/trivy-update-cache/action.yml b/trivy-update-cache/action.yml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
+---
+name: 'Trivy Cache Update'
+description: 'Composite action to run download the trivy cache'
+
+# See https://github.com/aquasecurity/trivy-action#updating-caches-in-the-default-branch
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout tools repo
+      uses: actions/checkout@v4
+      with:
+        repository: Consensys/docs-gha
+        path: .docs-gha
+
+    - name: Get current date
+      id: date
+      shell: sh      
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+    # May need to use https://github.com/marketplace/actions/retry-step to retry
+    - name: Download and extract the vulnerability DB
+      shell: sh    
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+        oras pull ghcr.io/aquasecurity/trivy-db:2
+        tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+        rm db.tar.gz
+
+    - name: Download and extract the Java DB
+      shell: sh    
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+        oras pull ghcr.io/aquasecurity/trivy-java-db:1
+        tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+        rm javadb.tar.gz
+
+    - name: Cache DBs
+      uses: actions/cache/save@v4
+      with:
+        path: ${{ github.workspace }}/.cache/trivy
+        key: cache-trivy-${{ steps.date.outputs.date }}
+
diff --git a/trivy/action.yml b/trivy/action.yml
@@ -3,6 +3,17 @@
 name: 'Trivy'
 description: 'Composite action to run trivy on the npm package.json'
 
+
+inputs:
+  TRIVY_SKIP_DB_UPDATE:
+    description: "Whether trivy should use cache instead of pulling latest db"
+    required: false
+    default: true
+  TRIVY_SKIP_JAVA_DB_UPDATE:
+    description: "Whether trivy should use cache instead of pulling latest java db"
+    required: false
+    default: true
+
 runs:
   using: "composite"
   steps:
@@ -13,14 +24,19 @@ runs:
         path: .docs-gha
 
     # 0.23.0
+    # Refer to https://github.com/aquasecurity/trivy-action#updating-caches-in-the-default-branch for the env vars 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+      uses: aquasecurity/trivy-action@0.28.0
       with:
         scan-type: 'fs'
         ignore-unfixed: true
         format: 'sarif'
         output: 'trivy-results.sarif'
         severity: 'CRITICAL'
+        cache: 'true'
+      env:
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.TRIVY_SKIP_DB_UPDATE && inputs.TRIVY_SKIP_DB_UPDATE != 'false' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.TRIVY_SKIP_JAVA_DB_UPDATE && inputs.TRIVY_SKIP_JAVA_DB_UPDATE != 'false' }}
 
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3