GitHub Action
Cache .trivy
Forked from actions/cache to cache .trivy directory used by trivy vulnerability scanner.
The cache key is generated by fetches latest trivy db SHA256 from ghcr.io/aquasecurity/trivy-db making sure latest db is downloaded once available.
Cache directory if fixed to .trivy as it needs to be in GITHUB_WORKSPACE. GITHUB_WORKSPACE is the directory that is mounted as a volume on aquasecurity/trivy-action from where trivy can use --cache-dir flag.
Files and folders generated by Trivy inside .trivy by default are owned by root:root instead of runner:docker which is default for the files generated by GitHub actions.
If ownership is not fixed in Post cache step below error is thrown
Warning: EACCES: permission denied, scandir '/home/runner/work/***/***/.trivy
To resolve this, trivy-cache-action fixes ownership by running chown -R $(stat . -c %u:%g) .trivy with sudo if available.
Thanks to @vlaurin for investigation and suggestions to make cache work with aquasecurity/trivy-action
If you are using this inside a container, a POSIX-compliant tar needs to be included and accessible in the execution path.
Since aquasecurity/trivy-action only support linux runners this action is not tested on other platforms, it will most likely work, but you will need to make sure .trivy directory is passed as option to trivy command
gh-token:REQUIREDGitHub token for fetching trivy db version to determine cache key, e.g.gh-token: ${{ secrets.GITHUB_TOKEN }}prefix: Prefix for cache key in case multiple workflows concurrently push cache, e.g.prefix: workflow1
SEGMENT_DOWNLOAD_TIMEOUT_MIN- Segment download timeout (in minutes, default60) to abort download of the segment if not completed in the defined number of minutes. Read more
cache-hit- A boolean value to indicate an exact match was found for the key
The cache is scoped to the key and branch. The default branch cache is available to other branches, since this action uses trivy db SHA256 as a key it will restore cache if trivy db is not updated
name: Caching Trivy DB
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Trivy Cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: my-image:v1.0.0
exit-code: '1'
ignore-unfixed: true
cache-dir: .trivyNote: You must use the
trivy-cache-actionin your workflow before you runaquasecurity/trivy-actionfor the files that might be restored from the cache. If the trivy db SHA256 doesn't match an existing cache, a new cache is automatically created if the job completes successfully.
This action is equivalent to running below steps with aquasecurity/trivy-action. You can use this instead of this action 🤷♂️ , might have to modify Fix .trivy permissions step if running inside container.
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "::set-output name=sha::${sha}"
- uses: actions/cache@v3
with:
path: .trivy
key: trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: my-image:v1.0.0
exit-code: '1'
ignore-unfixed: true
cache-dir: .trivy
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivyCache version are automatically handled based on trivy-db SHA265.
We would love for you to contribute to trivy-cache-action, pull requests are welcome! Please see the CONTRIBUTING.md for more information which inherits contributors from original repository actions/cache.
The scripts and documentation in this project are released under the MIT License