Skip to content

Commit

Permalink
fix: use CDS Trivy vulnerability database (#2324)
Browse files Browse the repository at this point in the history 
Update the Docker scan actions to use a self-hosted Trivy vulnerability database.
This is being done to address the rate limiting of the publicly hosted database.
  • Loading branch information
@patheard
patheard authored Oct 10, 2024
1 parent 248d4db commit b6959f6
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 4 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/docker-vulnerability-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ jobs:
registry-type: public

- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.DOCKER_IMAGE }}:latest"
dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
Expand Down Expand Up @@ -65,7 +67,9 @@ jobs:
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1

- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}"
dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/docker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,9 @@ jobs:
TOKEN: ${{ steps.notify-pr-bot.outputs.token }}

- name: Generate docker SBOM
uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
uses: cds-snc/security-tools/.github/actions/generate-sbom@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.DOCKER_SLUG }}:latest"
dockerfile_path: "ci/Dockerfile"
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/lambda_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,9 @@ jobs:
docker push $REGISTRY/${{ matrix.image }}:$IMAGE_TAG
- name: Generate docker SBOM
uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
uses: cds-snc/security-tools/.github/actions/generate-sbom@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.REGISTRY }}/${{ matrix.image }}:${{ env.IMAGE_TAG }}"
dockerfile_path: "ci/Dockerfile.lambda"
Expand Down

0 comments on commit b6959f6

Please sign in to comment.