Fix Trivy rate limit error by pulling vulnerability DB from ECR (#227)

* Use GitHub PAT * try setup-trivy action * try ECR mirror * Add comment
Enterprise-CMCS · Nov 15, 2024 · 373fa21 · 373fa21
1 parent ab9f42f
commit 373fa21
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
@@ -87,7 +87,10 @@ jobs:
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          # avoid GHCR rate limits, see https://github.com/aquasecurity/trivy-db/pull/440 and https://github.com/aquasecurity/trivy-action/issues/389
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         with:
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}
           format: "table"