From 1551157c23abf447f4dc077058ac21b1836ccccb Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Thu, 7 Nov 2024 15:06:17 -0600 Subject: [PATCH] Fix rate limiting issue in Trivy workflow scan (#23634) --- .github/workflows/trivy-scan.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 9e0686c46b05..b6be91c7352e 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -22,12 +22,17 @@ defaults: # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference shell: bash +env: + AWS_REGION: us-east-2 + AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role + permissions: contents: read jobs: trivy: permissions: + id-token: write # for aws-actions/configure-aws-credentials contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Trivy sarif report @@ -40,10 +45,18 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{env.AWS_IAM_ROLE}} + aws-region: ${{ env.AWS_REGION }} - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: "fs" ignore-unfixed: false