Skip to content

yogeshlonkar/trivy-cache-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

trivy-cache-action Tests

Forked from actions/cache to cache .trivy directory used by trivy vulnerability scanner. The cache key is generated by fetches latest trivy db SHA256 from ghcr.io/aquasecurity/trivy-db making sure latest db is downloaded once available.

Cache directory if fixed to .trivy as it needs to be in GITHUB_WORKSPACE. GITHUB_WORKSPACE is the directory that is mounted as a volume on aquasecurity/trivy-action from where trivy can use --cache-dir flag. Files and folders generated by Trivy inside .trivy by default are owned by root:root instead of runner:docker which is default for the files generated by GitHub actions. If ownership is not fixed in Post cache step below error is thrown

Warning: EACCES: permission denied, scandir '/home/runner/work/***/***/.trivy

To resolve this, trivy-cache-action fixes ownership by running chown -R $(stat . -c %u:%g) .trivy with sudo if available.

Thanks to @vlaurin for investigation and suggestions to make cache work with aquasecurity/trivy-action

Usage

Pre-requisites

If you are using this inside a container, a POSIX-compliant tar needs to be included and accessible in the execution path.

Since aquasecurity/trivy-action only support linux runners this action is not tested on other platforms, it will most likely work, but you will need to make sure .trivy directory is passed as option to trivy command

Inputs

  • gh-token: REQUIRED GitHub token for fetching trivy db version to determine cache key, e.g. gh-token: ${{ secrets.GITHUB_TOKEN }}
  • prefix: Prefix for cache key in case multiple workflows concurrently push cache, e.g. prefix: workflow1

Environment Variables

  • SEGMENT_DOWNLOAD_TIMEOUT_MIN - Segment download timeout (in minutes, default 60) to abort download of the segment if not completed in the defined number of minutes. Read more

Outputs

  • cache-hit - A boolean value to indicate an exact match was found for the key

Cache scopes

The cache is scoped to the key and branch. The default branch cache is available to other branches, since this action uses trivy db SHA256 as a key it will restore cache if trivy db is not updated

Example workflow

name: Caching Trivy DB

on: push

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Trivy Cache
      uses: yogeshlonkar/trivy-cache-action@v0
      with:
        gh-token: ${{ secrets.GITHUB_TOKEN }}

    - name: Vulnerability scan
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: my-image:v1.0.0
        exit-code: '1'
        ignore-unfixed: true
        cache-dir: .trivy

Note: You must use the trivy-cache-action in your workflow before you run aquasecurity/trivy-action for the files that might be restored from the cache. If the trivy db SHA256 doesn't match an existing cache, a new cache is automatically created if the job completes successfully.

Alternatives

This action is equivalent to running below steps with aquasecurity/trivy-action. You can use this instead of this action 🤷‍♂️ , might have to modify Fix .trivy permissions step if running inside container.

- id: trivy-db
  name: Check trivy db sha
  env:
    GH_TOKEN: ${{ github.token }}
  run: |
    endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
    headers='Accept: application/vnd.github+json'
    jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
    sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
    echo "Trivy DB sha256:${sha}"
    echo "sha=${sha}" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
  with:
    path: .trivy
    key: trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Vulnerability scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: my-image:v1.0.0
    exit-code: '1'
    ignore-unfixed: true
    cache-dir: .trivy
- name: Fix .trivy permissions
  run: sudo chown -R $(stat . -c %u:%g) .trivy

Cache Limits

Please refer actions/cache

Cache Version

Cache version are automatically handled based on trivy-db SHA265.

Cache segment restore timeout

Please refer actions/cache

Contributing

We would love for you to contribute to trivy-cache-action, pull requests are welcome! Please see the CONTRIBUTING.md for more information which inherits contributors from original repository actions/cache.

License

The scripts and documentation in this project are released under the MIT License