From 373fa21ad1c65e554b60534ca8957ccc106266e4 Mon Sep 17 00:00:00 2001
From: Ben Harvey <ben@corbalt.com>
Date: Fri, 15 Nov 2024 10:21:18 -0500
Subject: [PATCH] Fix Trivy rate limit error by pulling vulnerability DB from
 ECR (#227)

* Use GitHub PAT

* try setup-trivy action

* try ECR mirror

* Add comment
---
 .github/workflows/_docker-build.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index a8b279b..49c42cb 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -87,7 +87,10 @@ jobs:
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          # avoid GHCR rate limits, see https://github.com/aquasecurity/trivy-db/pull/440 and https://github.com/aquasecurity/trivy-action/issues/389
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         with:
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}
           format: "table"