diff options
author | Jesus <heckyel@hyperbola.info> | 2024-10-13 01:46:33 +0800 |
---|---|---|
committer | Jesus <heckyel@hyperbola.info> | 2024-10-13 01:46:33 +0800 |
commit | 5ab63cfe46d5390cb95485502c71baa8a0491fa2 (patch) | |
tree | d4b4476ec8a0f99261525ac3e20f2366953db871 /.gitea | |
parent | 1d0bcb5c39dcbf272e4c05d87fc63b135547899f (diff) | |
download | yt-local-docker-5ab63cfe46d5390cb95485502c71baa8a0491fa2.tar.lz yt-local-docker-5ab63cfe46d5390cb95485502c71baa8a0491fa2.tar.xz yt-local-docker-5ab63cfe46d5390cb95485502c71baa8a0491fa2.zip |
Diffstat (limited to '.gitea')
-rw-r--r-- | .gitea/workflows/db-trivy.yaml | 46 | ||||
-rw-r--r-- | .gitea/workflows/release.yaml | 7 |
2 files changed, 52 insertions, 1 deletions
diff --git a/.gitea/workflows/db-trivy.yaml b/.gitea/workflows/db-trivy.yaml new file mode 100644 index 0000000..30ec177 --- /dev/null +++ b/.gitea/workflows/db-trivy.yaml @@ -0,0 +1,46 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Install Oras + id: oras + run: | + VERSION="1.2.0" + curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_${VERSION}_*.tar.gz oras-install/ + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull public.ecr.aws/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull public.ecr.aws/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml index d580c5b..aab9bc1 100644 --- a/.gitea/workflows/release.yaml +++ b/.gitea/workflows/release.yaml @@ -52,7 +52,7 @@ jobs: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:v0.2.19 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.27.0 with: image-ref: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:latest format: 'table' @@ -60,6 +60,11 @@ jobs: ignore-unfixed: true vuln-type: 'os' severity: 'CRITICAL,HIGH' + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + TRIVY_SKIP_DB_UPDATE: false + TRIVY_SKIP_JAVA_DB_UPDATE: false - name: Push Docker image uses: docker/build-push-action@v6 |