From 7682e01e956ea3955cc7a7a66b64c9b439b8cf48 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:08:35 -0800 Subject: [PATCH 1/9] cache trivy take 1 --- .github/workflows/vulnerability-scans.yml | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 01014f2bc..9108be13c 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -94,6 +94,44 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Restore cached trivy vulnerability and Java DBs + id: cache-trivy + uses: actions/cache/restore@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + + - name: Setup oras + if: steps.cache-trivy.outputs.cache-hit != 'true' + uses: oras-project/setup-oras@v1 + + - name: Download and extract the vulnerability DB + if: steps.cache-trivy.outputs.cache-hit != 'true' + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + if: steps.cache-trivy.outputs.cache-hit != 'true' + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + if: steps.cache-trivy.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Restore cached Docker image uses: actions/cache/restore@v4 with: @@ -116,6 +154,9 @@ jobs: ignore-unfixed: true vuln-type: os scanners: vuln,secret + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Save output to workflow summary if: always() # Runs even if there is a failure From db058175dbd41f40ade4f25f1da44fd8b3d17fb0 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:16:11 -0800 Subject: [PATCH 2/9] linter stuff --- .github/workflows/vulnerability-scans.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 9108be13c..2d297fba6 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -112,17 +112,17 @@ jobs: - name: Download and extract the vulnerability DB if: steps.cache-trivy.outputs.cache-hit != 'true' run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db" rm db.tar.gz - name: Download and extract the Java DB if: steps.cache-trivy.outputs.cache-hit != 'true' run: | - mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db" rm javadb.tar.gz - name: Cache DBs From 1393e8f6baa33e02dbd8ed7ca388e7e763aacf8a Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:31:26 -0800 Subject: [PATCH 3/9] test trivy cache again --- .github/workflows/vulnerability-scans.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 2d297fba6..edebb005a 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -99,18 +99,22 @@ jobs: run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - name: Restore cached trivy vulnerability and Java DBs - id: cache-trivy + id: trivy-cache uses: actions/cache/restore@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} + key: trivy-cache-${{ steps.date.outputs.date }} - name: Setup oras - if: steps.cache-trivy.outputs.cache-hit != 'true' + if: steps.trivy-cache.outputs.cache-hit != 'true' uses: oras-project/setup-oras@v1 + # Download and extract the vulnerability DB and Java DB + # This is based on the instructions here: + # https://github.com/aquasecurity/trivy-action/?tab=readme-ov-file#updating-caches-in-the-default-branch + - name: Download and extract the vulnerability DB - if: steps.cache-trivy.outputs.cache-hit != 'true' + if: steps.trivy-cache.outputs.cache-hit != 'true' run: | mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" oras pull ghcr.io/aquasecurity/trivy-db:2 @@ -118,7 +122,7 @@ jobs: rm db.tar.gz - name: Download and extract the Java DB - if: steps.cache-trivy.outputs.cache-hit != 'true' + if: steps.trivy-cache.outputs.cache-hit != 'true' run: | mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" oras pull ghcr.io/aquasecurity/trivy-java-db:1 @@ -126,11 +130,11 @@ jobs: rm javadb.tar.gz - name: Cache DBs - if: steps.cache-trivy.outputs.cache-hit != 'true' + if: steps.trivy-cache.outputs.cache-hit != 'true' uses: actions/cache/save@v4 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} + key: trivy-cache-${{ steps.date.outputs.date }} - name: Restore cached Docker image uses: actions/cache/restore@v4 From 2c9f3c2aeb972a3cb6d2561f067d543ea39d2807 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:48:01 -0800 Subject: [PATCH 4/9] sub cache on app name --- .github/workflows/vulnerability-scans.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index edebb005a..35c9b0ab2 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -102,7 +102,7 @@ jobs: id: trivy-cache uses: actions/cache/restore@v4 with: - path: ${{ github.workspace }}/.cache/trivy + path: ${{ github.workspace }}/${{ inputs.app_name }}/.cache/trivy key: trivy-cache-${{ steps.date.outputs.date }} - name: Setup oras @@ -116,24 +116,24 @@ jobs: - name: Download and extract the vulnerability DB if: steps.trivy-cache.outputs.cache-hit != 'true' run: | - mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" + mkdir -p "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/db" oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db" + tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/db" rm db.tar.gz - name: Download and extract the Java DB if: steps.trivy-cache.outputs.cache-hit != 'true' run: | - mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" + mkdir -p "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/java-db" oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db" + tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/java-db" rm javadb.tar.gz - name: Cache DBs if: steps.trivy-cache.outputs.cache-hit != 'true' uses: actions/cache/save@v4 with: - path: ${{ github.workspace }}/.cache/trivy + path: ${{ github.workspace }}/${{ inputs.app_name }}/.cache/trivy key: trivy-cache-${{ steps.date.outputs.date }} - name: Restore cached Docker image From 61de1b1839f8d602220597b7071f700a06b4183e Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:50:20 -0800 Subject: [PATCH 5/9] add run name --- .github/workflows/vulnerability-scans.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 35c9b0ab2..8d49b73d7 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -2,6 +2,7 @@ # to ensure images built are secure before they are deployed. name: Vulnerability Scans +run-name: Vulnerability Scans for ${{ inputs.app_name }} on: workflow_call: From e1364283b6d507dbc515a7f7cdd51a813b1c9307 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:51:18 -0800 Subject: [PATCH 6/9] move comment --- .github/workflows/vulnerability-scans.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 8d49b73d7..5f4d612b6 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -106,14 +106,14 @@ jobs: path: ${{ github.workspace }}/${{ inputs.app_name }}/.cache/trivy key: trivy-cache-${{ steps.date.outputs.date }} - - name: Setup oras - if: steps.trivy-cache.outputs.cache-hit != 'true' - uses: oras-project/setup-oras@v1 - # Download and extract the vulnerability DB and Java DB # This is based on the instructions here: # https://github.com/aquasecurity/trivy-action/?tab=readme-ov-file#updating-caches-in-the-default-branch + - name: Setup oras + if: steps.trivy-cache.outputs.cache-hit != 'true' + uses: oras-project/setup-oras@v1 + - name: Download and extract the vulnerability DB if: steps.trivy-cache.outputs.cache-hit != 'true' run: | From e9e04d9d642b62439233d5857a805b078c501766 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 11:54:01 -0800 Subject: [PATCH 7/9] quotes --- .github/workflows/vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 5f4d612b6..c310c1f10 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -97,7 +97,7 @@ jobs: - name: Get current date id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" - name: Restore cached trivy vulnerability and Java DBs id: trivy-cache From 17d417d914c8f0e1cdc416d40ecbe75d3d290cbe Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Wed, 13 Nov 2024 12:12:26 -0800 Subject: [PATCH 8/9] Revert "sub cache on app name" This reverts commit 2c9f3c2aeb972a3cb6d2561f067d543ea39d2807. --- .github/workflows/vulnerability-scans.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index c310c1f10..a0569a242 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -103,7 +103,7 @@ jobs: id: trivy-cache uses: actions/cache/restore@v4 with: - path: ${{ github.workspace }}/${{ inputs.app_name }}/.cache/trivy + path: ${{ github.workspace }}/.cache/trivy key: trivy-cache-${{ steps.date.outputs.date }} # Download and extract the vulnerability DB and Java DB @@ -117,24 +117,24 @@ jobs: - name: Download and extract the vulnerability DB if: steps.trivy-cache.outputs.cache-hit != 'true' run: | - mkdir -p "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/db" + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/db" oras pull ghcr.io/aquasecurity/trivy-db:2 - tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/db" + tar -xzf db.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/db" rm db.tar.gz - name: Download and extract the Java DB if: steps.trivy-cache.outputs.cache-hit != 'true' run: | - mkdir -p "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/java-db" + mkdir -p "$GITHUB_WORKSPACE/.cache/trivy/java-db" oras pull ghcr.io/aquasecurity/trivy-java-db:1 - tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/${{ inputs.app_name }}/.cache/trivy/java-db" + tar -xzf javadb.tar.gz -C "$GITHUB_WORKSPACE/.cache/trivy/java-db" rm javadb.tar.gz - name: Cache DBs if: steps.trivy-cache.outputs.cache-hit != 'true' uses: actions/cache/save@v4 with: - path: ${{ github.workspace }}/${{ inputs.app_name }}/.cache/trivy + path: ${{ github.workspace }}/.cache/trivy key: trivy-cache-${{ steps.date.outputs.date }} - name: Restore cached Docker image From e99bc37bf04d4fa33219c63b8304c17b6709beea Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Wed, 13 Nov 2024 12:14:52 -0800 Subject: [PATCH 9/9] Update vulnerability-scans.yml --- .github/workflows/vulnerability-scans.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index a0569a242..c5ec4fe5a 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -2,7 +2,6 @@ # to ensure images built are secure before they are deployed. name: Vulnerability Scans -run-name: Vulnerability Scans for ${{ inputs.app_name }} on: workflow_call: