Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload Trivy DBs to GHCR #4430

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Upload Trivy DBs to GHCR #4430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ff0c8fb
Test Caching
asteel-gsa Nov 4, 2024
3d3acf5
Change Tag
asteel-gsa Nov 4, 2024
598d0c0
Remove Cache Test
asteel-gsa Nov 4, 2024
605dbc9
Test Scan
asteel-gsa Nov 4, 2024
bab99ac
Remove unnecessary matrix
asteel-gsa Nov 4, 2024
20976ed
Remove test branch
asteel-gsa Nov 4, 2024
183dd5f
Test web container scan
asteel-gsa Nov 4, 2024
ab77e6d
Change tags to match upstream
asteel-gsa Nov 4, 2024
d1b026b
Remove test
asteel-gsa Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .github/workflows/trivy-cache.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
name: Cache Trivy DBs
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:

permissions:
packages: write
id-token: write

jobs:
caching:
name: Cache Trivy DBs
runs-on: ubuntu-latest
env:
repo_name: gsa-tts/fac
steps:
- name: Install ORAS
id: oras
uses: oras-project/setup-oras@v1

- name: Authenticate to GHCR
id: ghcr
run: |
oras login ghcr.io \
-u ${{ github.actor }} \
-p ${{ github.token }}

- name: Pull Trivy Images
id: pull
run: |
oras pull ghcr.io/aquasecurity/trivy-db:2
oras pull ghcr.io/aquasecurity/trivy-java-db:1

- name: Push Trivy Images
id: push
run: |
oras push ghcr.io/${{ env.repo_name }}/trivy-db:2 \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip \
--artifact-type application/vnd.aquasec.trivy.config.v1+json

oras push ghcr.io/${{ env.repo_name }}/trivy-java-db:1 \
javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip \
--artifact-type application/vnd.aquasec.trivy.config.v1+json
13 changes: 13 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
security-events: write
actions: read
env:
repo_name: gsa-tts/fac
DOCKER_NAME: fac
WORKING_DIRECTORY: ./backend
name: Trivy Scan FAC Web Container
Expand All @@ -40,6 +41,11 @@ jobs:

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ghcr.io/${{ env.repo_name }}/trivy-db,public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/${{ env.repo_name }}/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ github.token }}
with:
image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}'
scan-type: 'image'
Expand All @@ -63,6 +69,8 @@ jobs:
actions: read
name: Trivy Scan Third Party Images
runs-on: ubuntu-latest
env:
repo_name: gsa-tts/fac
strategy:
fail-fast: false
matrix:
Expand All @@ -75,6 +83,11 @@ jobs:

- name: Run Trivy vulnerability scanner on Third Party Images
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ghcr.io/${{ env.repo_name }}/trivy-db,public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/${{ env.repo_name }}/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ github.token }}
with:
image-ref: '${{ matrix.image.name }}'
scan-type: 'image'
Expand Down