Trivy DB #6492
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Trivy DB | |
| on: | |
| schedule: | |
| - cron: '0 */6 * * *' | |
| workflow_dispatch: | |
| env: | |
| REPO_OWNER: ${{ github.repository_owner }} # used in 'make db-build' | |
| GH_USER: aqua-bot | |
| VERSION: 2 | |
| jobs: | |
| build: | |
| name: Build DB | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Maximize build space | |
| uses: easimon/maximize-build-space@v10 | |
| with: | |
| root-reserve-mb: 32768 # vuln-list dirs + language repositories use more than 12GB of storage | |
| remove-android: "true" | |
| remove-docker-images: "true" | |
| remove-dotnet: "true" | |
| remove-haskell: "true" | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install bbolt | |
| run: go install go.etcd.io/bbolt/cmd/bbolt@v1.3.5 | |
| - name: Download vuln-list and advisories | |
| run: make db-fetch-langs db-fetch-vuln-list | |
| - name: Build the binary | |
| run: make build | |
| - name: Build database | |
| run: make db-build | |
| - name: Compact DB | |
| run: make db-compact | |
| - name: Compress assets | |
| run: make db-compress | |
| - name: Move DB | |
| run: mv assets/db.tar.gz . | |
| - name: Login to GitHub Packages Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ env.GH_USER }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install oras | |
| run: | | |
| # upgrade to ORAS 1.0.0 | |
| curl -LO https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz | |
| tar -xvf ./oras_1.0.0_linux_amd64.tar.gz | |
| - name: Upload assets to GHCR | |
| run: | | |
| ./oras version | |
| tags=(latest ${{ env.VERSION }}) | |
| for tag in ${tags[@]}; do | |
| ./oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \ | |
| ghcr.io/${{ github.repository }}:${tag} \ | |
| db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip | |
| done |