fix trivy scan and enable caching of vulnerability DB #3192
Conversation
DaMandal0rian
force-pushed
the
hotfix/trivy-scan
branch
from
01a54da to
cfc4977
Compare
|
|
||
| - name: Download and extract the vulnerability DB | ||
| run: | | ||
| mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db |
There was a problem hiding this comment.
$GITHUB_WORKSPACE is already the default, why using it explicitly?
There was a problem hiding this comment.
Just my preference for readability but I have changed it.
| key: cache-trivy-${{ steps.date.outputs.date }} | ||
|
|
||
| trivy_scan_image: | ||
| needs: update-trivy-db |
There was a problem hiding this comment.
This will result in update happening every single time, essentially defeating the purpose of caching, in fact caching just does more work here for no reason.
What should be done instead is a separate workflow like described in https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch that updates cache periodically and then use it in this workflow.
Even better approach and something I'd do would be to only update the cache if it is missing and then if cache recovery (for current date) is successful, we'll skip downloading. I have implemented this logic for GTK4 building here, the only major difference here is that the cache key will include a date.
| - name: Cache DBs | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ github.workspace }}/.cache/trivy |
There was a problem hiding this comment.
I believe this is equivalent:
| path: ${{ github.workspace }}/.cache/trivy | |
| path: .cache/trivy |
There was a problem hiding this comment.
This will download cache at 3 times, which is slow and will cost more in case bandwidth is not free.
What do you think about combining check-trivy-db-cache, update-trivy-db and trivy_scan_image into a single job that tries to download the cache, downloads database if cache is missing, then does all the checks it needs with database already in place?
Same as Space Acres repo checks cache, builds GTK4 if cache was missing and then continues doing what it was supposed to.
| - name: Cache DBs | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .cache/trivy | ||
| key: cache-trivy-${{ needs.check-trivy-db-cache.outputs.date }} |
There was a problem hiding this comment.
Wouldn't this download and override the cache you wanted to store instead?
That makes sense, will make it into one job, that way will be more efficient. |
DaMandal0rian
force-pushed
the
hotfix/trivy-scan
branch
from
706cd57 to
d4fd9c1
Compare
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
Well, looks like this didn't quite work, there are some errors, for example here: https://github.com/autonomys/subspace/actions/runs/11616240335/job/32348713553 |
This PR fixes the trivy scanner by caching the vulnerability DB and downloading a new update every 24 hours. We are currently being rate-limited which is related to this issue
Code contributor checklist: