GitHub Action
Cache .trivy
Forked from actions/cache to cache .trivy
directory used by trivy vulnerability scanner.
The cache key is generated by fetches latest trivy db SHA256 from ghcr.io/aquasecurity/trivy-db making sure latest db is downloaded once available.
Cache directory if fixed to .trivy
as it needs to be in GITHUB_WORKSPACE
. GITHUB_WORKSPACE
is the directory that is mounted as a volume on aquasecurity/trivy-action
from where trivy can use --cache-dir
flag.
Files and folders generated by Trivy inside .trivy
by default are owned by root:root
instead of runner:docker
which is default for the files generated by GitHub actions.
If ownership is not fixed in Post cache step below error is thrown
Warning: EACCES: permission denied, scandir '/home/runner/work/***/***/.trivy
To resolve this, trivy-cache-action
fixes ownership by running chown -R $(stat . -c %u:%g) .trivy
with sudo if available.
Thanks to @vlaurin for investigation and suggestions to make cache work with aquasecurity/trivy-action
If you are using this inside a container, a POSIX-compliant tar
needs to be included and accessible in the execution path.
Since aquasecurity/trivy-action
only support linux runners this action is not tested on other platforms, it will most likely work, but you will need to make sure .trivy
directory is passed as option to trivy command
gh-token
:REQUIRED
GitHub token for fetching trivy db version to determine cache key, e.g.gh-token: ${{ secrets.GITHUB_TOKEN }}
prefix
: Prefix for cache key in case multiple workflows concurrently push cache, e.g.prefix: workflow1
SEGMENT_DOWNLOAD_TIMEOUT_MIN
- Segment download timeout (in minutes, default60
) to abort download of the segment if not completed in the defined number of minutes. Read more
cache-hit
- A boolean value to indicate an exact match was found for the key
The cache is scoped to the key and branch. The default branch cache is available to other branches, since this action uses trivy db SHA256 as a key it will restore cache if trivy db is not updated
name: Caching Trivy DB
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Trivy Cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: my-image:v1.0.0
exit-code: '1'
ignore-unfixed: true
cache-dir: .trivy
Note: You must use the
trivy-cache-action
in your workflow before you runaquasecurity/trivy-action
for the files that might be restored from the cache. If the trivy db SHA256 doesn't match an existing cache, a new cache is automatically created if the job completes successfully.
This action is equivalent to running below steps with aquasecurity/trivy-action
. You can use this instead of this action 🤷♂️ , might have to modify Fix .trivy permissions
step if running inside container.
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
with:
path: .trivy
key: trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: my-image:v1.0.0
exit-code: '1'
ignore-unfixed: true
cache-dir: .trivy
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
Cache version are automatically handled based on trivy-db SHA265.
We would love for you to contribute to trivy-cache-action
, pull requests are welcome! Please see the CONTRIBUTING.md for more information which inherits contributors from original repository actions/cache.
The scripts and documentation in this project are released under the MIT License