Skip to content

Commit bbeccaf

Browse files
cesararrobacesararroba
authored
chore(github): improve trivy scan time (#9065)
1 parent d1aca56 commit bbeccaf

File tree

1 file changed

+27
-15
lines changed

1 file changed

+27
-15
lines changed

.github/actions/trivy-scan/action.yml

Lines changed: 27 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -45,32 +45,44 @@ outputs:
4545
runs:
4646
using: 'composite'
4747
steps:
48+
- name: Cache Trivy vulnerability database
49+
uses: actions/cache@f0a67a2ed41fa8c0d21ab1521da3a46b0c9ae5e4 # v4.3.1
50+
with:
51+
path: ~/.cache/trivy
52+
key: trivy-db-${{ runner.os }}-${{ github.run_id }}
53+
restore-keys: |
54+
trivy-db-${{ runner.os }}-
55+
56+
- name: Run Trivy vulnerability scan (JSON)
57+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
58+
with:
59+
image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
60+
format: 'json'
61+
output: 'trivy-report.json'
62+
severity: ${{ inputs.severity }}
63+
exit-code: '0'
64+
scanners: 'vuln'
65+
timeout: '5m'
66+
4867
- name: Run Trivy vulnerability scan (SARIF)
49-
if: inputs.upload-sarif == 'true'
68+
if: inputs.upload-sarif == 'true' && github.event_name == 'push'
5069
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
5170
with:
5271
image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
5372
format: 'sarif'
5473
output: 'trivy-results.sarif'
5574
severity: 'CRITICAL,HIGH'
5675
exit-code: '0'
76+
scanners: 'vuln'
77+
timeout: '5m'
5778

5879
- name: Upload Trivy results to GitHub Security tab
59-
if: inputs.upload-sarif == 'true'
80+
if: inputs.upload-sarif == 'true' && github.event_name == 'push'
6081
uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
6182
with:
6283
sarif_file: 'trivy-results.sarif'
6384
category: 'trivy-container'
6485

65-
- name: Run Trivy vulnerability scan (JSON)
66-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
67-
with:
68-
image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
69-
format: 'json'
70-
output: 'trivy-report.json'
71-
severity: ${{ inputs.severity }}
72-
exit-code: '0'
73-
7486
- name: Upload Trivy report artifact
7587
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
7688
if: always()
@@ -109,20 +121,20 @@ runs:
109121
with:
110122
script: |
111123
const comment = require('./.github/scripts/trivy-pr-comment.js');
112-
124+
113125
// Unique identifier to find our comment
114126
const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
115127
const body = marker + '\n' + comment;
116-
128+
117129
// Find existing comment
118130
const { data: comments } = await github.rest.issues.listComments({
119131
owner: context.repo.owner,
120132
repo: context.repo.repo,
121133
issue_number: context.issue.number,
122134
});
123-
135+
124136
const existingComment = comments.find(c => c.body?.includes(marker));
125-
137+
126138
if (existingComment) {
127139
// Update existing comment
128140
await github.rest.issues.updateComment({

0 commit comments

Comments
 (0)