Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yogeshlonkar/trivy-cache-action

Cache .trivy directory
https://github.com/yogeshlonkar/trivy-cache-action

Last synced: 10 days ago
JSON representation

Cache .trivy directory

Awesome Lists containing this project

README 

        
# trivy-cache-action [![Tests](https://github.com/yogeshlonkar/trivy-cache-action/actions/workflows/workflow.yml/badge.svg)](https://github.com/yogeshlonkar/trivy-cache-action/actions/workflows/workflow.yml)



Forked from [actions/cache][actions-cache] to cache `.trivy` directory used by trivy vulnerability scanner.

The cache key is generated by fetches latest trivy db SHA256 from [ghcr.io/aquasecurity/trivy-db](https://ghcr.io/aquasecurity/trivy-db) making sure latest db is downloaded once available.



Cache directory if fixed to `.trivy` as it needs to be in `GITHUB_WORKSPACE`. `GITHUB_WORKSPACE` is the directory that is mounted as a volume on [`aquasecurity/trivy-action`][trivy-action] from where trivy can use `--cache-dir` flag.

Files and folders generated by Trivy inside `.trivy` by default are owned by `root:root` instead of `runner:docker` which is default for the files generated by GitHub actions.

If ownership is not fixed in Post cache step below error is thrown



> Warning: EACCES: permission denied, scandir '/home/runner/work/\*\*\*/\*\*\*/.trivy



To resolve this, `trivy-cache-action` fixes ownership by running `chown -R $(stat . -c %u:%g) .trivy` with sudo if available.



Thanks to [@vlaurin](https://github.com/aquasecurity/trivy-action/issues/12#issuecomment-847854159) for investigation and suggestions to make cache work with [`aquasecurity/trivy-action`][trivy-action]



## Usage



### Pre-requisites



If you are using this inside a container, a POSIX-compliant `tar` needs to be included and accessible in the execution path.



**Since [`aquasecurity/trivy-action`][trivy-action] only support linux runners this action is not tested on other platforms, it will most likely work, but you will need to make sure `.trivy` directory is passed as option to trivy command**



### Inputs



* `gh-token`: `REQUIRED` GitHub token for fetching trivy db version to determine cache key, e.g. `gh-token: ${{ secrets.GITHUB_TOKEN }}`

* `prefix`: Prefix for cache key in case multiple workflows concurrently push cache, e.g. `prefix: workflow1`



#### Environment Variables

* `SEGMENT_DOWNLOAD_TIMEOUT_MIN` - Segment download timeout (in minutes, default `60`) to abort download of the segment if not completed in the defined number of minutes. [Read more](#cache-segment-restore-timeout)



### Outputs



* `cache-hit` - A boolean value to indicate an exact match was found for the key



### Cache scopes



The cache is scoped to the key and branch. The default branch cache is available to other branches,

since this action uses trivy db SHA256 as a key it will restore cache if trivy db is not updated



### Example workflow



```yaml

name: Caching Trivy DB



on: push



jobs:

  build:

    runs-on: ubuntu-latest



    steps:

    - uses: actions/checkout@v3



    - name: Trivy Cache

      uses: yogeshlonkar/trivy-cache-action@v0

      with:

        gh-token: ${{ secrets.GITHUB_TOKEN }}



    - name: Vulnerability scan

      uses: aquasecurity/trivy-action@master

      with:

        image-ref: my-image:v1.0.0

        exit-code: '1'

        ignore-unfixed: true

        cache-dir: .trivy

```



> Note: You must use the `trivy-cache-action` in your workflow before you run [`aquasecurity/trivy-action`][trivy-action] for the files that might be restored from the cache. If the trivy db SHA256 doesn't match an existing cache, a new cache is automatically created if the job completes successfully.



## Alternatives



This action is equivalent to running below steps with [`aquasecurity/trivy-action`][trivy-action]. You can use this instead of this action 🤷‍♂️ , might have to modify `Fix .trivy permissions` step if running inside container.



```yaml

- id: trivy-db

  name: Check trivy db sha

  env:

    GH_TOKEN: ${{ github.token }}

  run: |

    endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'

    headers='Accept: application/vnd.github+json'

    jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'

    sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")

    echo "Trivy DB sha256:${sha}"

    echo "sha=${sha}" >> $GITHUB_OUTPUT

- uses: actions/cache@v3

  with:

    path: .trivy

    key: trivy-db-${{ steps.trivy-db.outputs.sha }}

- name: Vulnerability scan

  uses: aquasecurity/trivy-action@master

  with:

    image-ref: my-image:v1.0.0

    exit-code: '1'

    ignore-unfixed: true

    cache-dir: .trivy

- name: Fix .trivy permissions

  run: sudo chown -R $(stat . -c %u:%g) .trivy

```



## Cache Limits



[Please refer `actions/cache`][actions-cache-limits]



## Cache Version



Cache version are automatically handled based on trivy-db SHA265.



## Cache segment restore timeout



[Please refer `actions/cache`][actions-cache-segment-restore-timeout]



## Contributing



We would love for you to contribute to `trivy-cache-action`, pull requests are welcome! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) for more information which inherits contributors from original repository [actions/cache](https://github.com/actions/cache).



## License



The scripts and documentation in this project are released under the [MIT License](LICENSE)



[actions-cache]: https://github.com/actions/cache

[actions-cache-limits]: https://github.com/actions/cache#cache-limits

[actions-cache-segment-restore-timeout]: https://github.com/actions/cache#cache-segment-restore-timeout

[trivy-action]: https://github.com/aquasecurity/trivy-action