From d57768127f1a972ce8239ca276aeedd88a37aecb Mon Sep 17 00:00:00 2001 From: Tim Berthold <75306992+tmberthold@users.noreply.github.com> Date: Wed, 9 Oct 2024 13:35:27 +0200 Subject: [PATCH] fix(trivy): prevent rate-limit issues (#867) --- .github/workflows/license_scan.yml | 12 ++++++++++-- .github/workflows/secret_scan.yml | 6 +++++- .github/workflows/security_scan.yml | 12 ++++++++++-- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/license_scan.yml b/.github/workflows/license_scan.yml index 52a1ea7e1..52e335bcc 100644 --- a/.github/workflows/license_scan.yml +++ b/.github/workflows/license_scan.yml @@ -13,7 +13,11 @@ jobs: uses: actions/checkout@v3 - name: Run license scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.26.0 + env: + #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389) + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "rootfs" scan-ref: "." @@ -28,7 +32,11 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Run license scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.26.0 + env: + #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389) + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "repo" scan-ref: "." diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml index b27e1f6b1..b0eb00f02 100644 --- a/.github/workflows/secret_scan.yml +++ b/.github/workflows/secret_scan.yml @@ -17,7 +17,11 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Run vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.26.0 + env: + #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389) + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "fs" exit-code: "1" diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml index 6a5076180..703d1dcc5 100644 --- a/.github/workflows/security_scan.yml +++ b/.github/workflows/security_scan.yml @@ -12,7 +12,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Run static analysis (rootfs) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.26.0 + env: + #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389) + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "rootfs" scanners: "vuln,misconfig" @@ -27,7 +31,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Run static analysis (repo) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.26.0 + env: + #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389) + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "repo" scanners: "vuln,misconfig"