aboutsummaryrefslogtreecommitdiffstats
path: root/.gitea
diff options
context:
space:
mode:
Diffstat (limited to '.gitea')
-rw-r--r--.gitea/workflows/db-trivy.yaml46
-rw-r--r--.gitea/workflows/release.yaml7
2 files changed, 52 insertions, 1 deletions
diff --git a/.gitea/workflows/db-trivy.yaml b/.gitea/workflows/db-trivy.yaml
new file mode 100644
index 0000000..30ec177
--- /dev/null
+++ b/.gitea/workflows/db-trivy.yaml
@@ -0,0 +1,46 @@
+# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+ schedule:
+ - cron: '0 0 * * *' # Run daily at midnight UTC
+ workflow_dispatch: # Allow manual triggering
+
+jobs:
+ update-trivy-db:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Get current date
+ id: date
+ run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+ - name: Install Oras
+ id: oras
+ run: |
+ VERSION="1.2.0"
+ curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
+ mkdir -p oras-install/
+ tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
+ sudo mv oras-install/oras /usr/local/bin/
+ rm -rf oras_${VERSION}_*.tar.gz oras-install/
+
+ - name: Download and extract the vulnerability DB
+ run: |
+ mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+ oras pull public.ecr.aws/aquasecurity/trivy-db:2
+ tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+ rm db.tar.gz
+
+ - name: Download and extract the Java DB
+ run: |
+ mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+ oras pull public.ecr.aws/aquasecurity/trivy-java-db:1
+ tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+ rm javadb.tar.gz
+
+ - name: Cache DBs
+ uses: actions/cache/save@v4
+ with:
+ path: ${{ github.workspace }}/.cache/trivy
+ key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index d580c5b..aab9bc1 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -52,7 +52,7 @@ jobs:
${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:v0.2.19
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.27.0
with:
image-ref: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:latest
format: 'table'
@@ -60,6 +60,11 @@ jobs:
ignore-unfixed: true
vuln-type: 'os'
severity: 'CRITICAL,HIGH'
+ env:
+ TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+ TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+ TRIVY_SKIP_DB_UPDATE: false
+ TRIVY_SKIP_JAVA_DB_UPDATE: false
- name: Push Docker image
uses: docker/build-push-action@v6