From 5ab63cfe46d5390cb95485502c71baa8a0491fa2 Mon Sep 17 00:00:00 2001
From: Jesus <heckyel@hyperbola.info>
Date: Sun, 13 Oct 2024 01:46:33 +0800
Subject: Add db-trivy from another DB

---
 .gitea/workflows/db-trivy.yaml | 46 ++++++++++++++++++++++++++++++++++++++++++
 .gitea/workflows/release.yaml  |  7 ++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 .gitea/workflows/db-trivy.yaml

(limited to '.gitea')

diff --git a/.gitea/workflows/db-trivy.yaml b/.gitea/workflows/db-trivy.yaml
new file mode 100644
index 0000000..30ec177
--- /dev/null
+++ b/.gitea/workflows/db-trivy.yaml
@@ -0,0 +1,46 @@
+# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Install Oras
+        id: oras
+        run: |
+          VERSION="1.2.0"
+          curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
+          mkdir -p oras-install/
+          tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
+          sudo mv oras-install/oras /usr/local/bin/
+          rm -rf oras_${VERSION}_*.tar.gz oras-install/
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull public.ecr.aws/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull public.ecr.aws/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index d580c5b..aab9bc1 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -52,7 +52,7 @@ jobs:
             ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:v0.2.19
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.27.0
         with:
           image-ref: ${{ secrets.DOCKER_REGISTRY_USER}}/yt-local:latest
           format: 'table'
@@ -60,6 +60,11 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os'
           severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+          TRIVY_SKIP_DB_UPDATE: false
+          TRIVY_SKIP_JAVA_DB_UPDATE: false
 
       - name: Push Docker image
         uses: docker/build-push-action@v6
-- 
cgit v1.2.3