Fix rate limiting issue in Trivy workflow scan #23634
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sgress454
requested review from
lukeheath,
georgekarrv and
sharon-fdm
as code owners
sgress454
commented
Nov 7, 2024
Comment on lines
+25
to
+28
| env: | ||
| AWS_REGION: us-east-2 | ||
| AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role | ||
|
|
There was a problem hiding this comment.
Added for use in aws-actions/configure-aws-credentials
sgress454
commented
Nov 7, 2024
Comment on lines
+58
to
+59
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | ||
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db |
There was a problem hiding this comment.
See aquasecurity/trivy-db#440. Pulling from these may become the default in future Trivy versions, at which point we could back this out and let them drive again.
lukeheath
approved these changes
Nov 7, 2024
mostlikelee
pushed a commit
that referenced
this pull request
Nov 10, 2024
lucasmrod
added a commit
that referenced
this pull request
Nov 12, 2024
Exactly same fix as #23634. PS: Thanks @sgress454!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the way that the Trivy scan workflow downloads the vulnerability database. Previously, it would download the database from the Github container registry (ghcr.io) by default. This caused issues where the request for the file would get a "too many requests" error response, seemingly due to ever user of Trivy being lumped together for the purpose of rate limiting. Now, we're instructing Trivy to download the dbs from their own public ECR. We're also authenticating with AWS first, so that we get our own quota.
This PR also updates the version of the Github checkout action to avoid a warning about it not being designed for Node 20:
I tested this by pushing the branch up and triggering the workflow manually. Only time will tell if it really solves the rate limit issue, since we run this pretty infrequently.