From bf9551d0ea3c975e853430c55209992473f38a1b Mon Sep 17 00:00:00 2001
From: Joshua Fernandes <joshua.fernandes@consensys.net>
Date: Thu, 7 Nov 2024 10:42:49 +1000
Subject: [PATCH] add a new action for trivy's cache (#64)

---
 trivy-update-cache/action.yml | 43 +++++++++++++++++++++++++++++++++++
 trivy/action.yml              | 20 ++++++++++++++--
 2 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 trivy-update-cache/action.yml

diff --git a/trivy-update-cache/action.yml b/trivy-update-cache/action.yml
new file mode 100644
index 0000000..3a53a5d
--- /dev/null
+++ b/trivy-update-cache/action.yml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
+---
+name: 'Trivy Cache Update'
+description: 'Composite action to run download the trivy cache'
+
+# See https://github.com/aquasecurity/trivy-action#updating-caches-in-the-default-branch
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout tools repo
+      uses: actions/checkout@v4
+      with:
+        repository: Consensys/docs-gha
+        path: .docs-gha
+
+    - name: Get current date
+      id: date
+      shell: sh      
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+    # May need to use https://github.com/marketplace/actions/retry-step to retry
+    - name: Download and extract the vulnerability DB
+      shell: sh    
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+        oras pull ghcr.io/aquasecurity/trivy-db:2
+        tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+        rm db.tar.gz
+
+    - name: Download and extract the Java DB
+      shell: sh    
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+        oras pull ghcr.io/aquasecurity/trivy-java-db:1
+        tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+        rm javadb.tar.gz
+
+    - name: Cache DBs
+      uses: actions/cache/save@v4
+      with:
+        path: ${{ github.workspace }}/.cache/trivy
+        key: cache-trivy-${{ steps.date.outputs.date }}
+  
\ No newline at end of file
diff --git a/trivy/action.yml b/trivy/action.yml
index 0bca549..5a07301 100644
--- a/trivy/action.yml
+++ b/trivy/action.yml
@@ -3,6 +3,17 @@
 name: 'Trivy'
 description: 'Composite action to run trivy on the npm package.json'
 
+
+inputs:
+  TRIVY_SKIP_DB_UPDATE:
+    description: "Whether trivy should use cache instead of pulling latest db"
+    required: false
+    default: true
+  TRIVY_SKIP_JAVA_DB_UPDATE:
+    description: "Whether trivy should use cache instead of pulling latest java db"
+    required: false
+    default: true
+
 runs:
   using: "composite"
   steps:
@@ -12,15 +23,20 @@ runs:
         repository: Consensys/docs-gha
         path: .docs-gha
 
-    # 0.23.0
+    # 0.28.0
+    # Refer to https://github.com/aquasecurity/trivy-action#updating-caches-in-the-default-branch for the env vars 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
       with:
         scan-type: 'fs'
         ignore-unfixed: true
         format: 'sarif'
         output: 'trivy-results.sarif'
         severity: 'CRITICAL'
+        cache: 'true'
+      env:
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.TRIVY_SKIP_DB_UPDATE && inputs.TRIVY_SKIP_DB_UPDATE != 'false' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.TRIVY_SKIP_JAVA_DB_UPDATE && inputs.TRIVY_SKIP_JAVA_DB_UPDATE != 'false' }}
 
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3