From c220daceb1a81019574c084d30a97e0018ea6b42 Mon Sep 17 00:00:00 2001 From: Bruce Bujon Date: Mon, 28 Oct 2024 13:02:12 +0100 Subject: [PATCH] fix: Fix Trivy database pull --- .github/workflows/ci.yml | 4 +++- .github/workflows/vuln-check.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a227f2..b1ad81d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,13 +46,15 @@ jobs: - name: Push images run: ./build --push - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' limit-severities-for-sarif: true + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: diff --git a/.github/workflows/vuln-check.yml b/.github/workflows/vuln-check.yml index 43f068e..c24f0bc 100644 --- a/.github/workflows/vuln-check.yml +++ b/.github/workflows/vuln-check.yml @@ -30,13 +30,15 @@ jobs: docker-images: false # Do not remove locally built images (including trivy scanner) - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: 'ghcr.io/datadog/dd-trace-java-docker-build:latest' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' limit-severities-for-sarif: true + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3