Update trivy action and use GITHUB_TOKEN #7829

smola · 2024-10-23T12:21:57Z

What Does This Do

Set GITHUB_TOKEN env var for trivy to use it when downloading its database.
Update trivy-action to use a more recent trivy version and caching.

Motivation

Avoids rate limits:

2024-10-23T12:21:50Z	INFO	Need to update DB
2024-10-23T12:21:50Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T12:21:50Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:cae74bde88d988a66b3a4fb824b17b48f38c92258dfecbb748975694233641be: TOOMANYREQUESTS: retry-after: 304.877µs, allowed: 44000/minute

See: https://github.com/aquasecurity/trivy/blob/9514148767865baddd73a49245385574927f7a74/pkg/downloader/download.go#L188-L195

Additional Notes

This change required passlisting aquasecurity/[email protected], even if it's not really used. Tracked this limitation upstream: aquasecurity/trivy-action#423

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Squash your commits prior merging or merge using GitHub's Squash and merge
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
~~[ ] Update the public documentation in case of new configuration flag or behavior~~

pr-commenter · 2024-10-23T13:01:22Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/ci-trivy-docker-login
git_commit_date	1729847668	1730099564
git_commit_sha	`7010cb8`	`5226fc9`
release_version	1.42.0-SNAPSHOT~7010cb865c	1.42.0-SNAPSHOT~5226fc996b

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1730102774	1730102774
ci_job_id	685902467	685902467
ci_pipeline_id	47566372	47566372
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.584 s) : 0, 1584145
Total [baseline] (11.91 s) : 0, 11909938
Agent [candidate] (1.58 s) : 0, 1579892
Total [candidate] (11.875 s) : 0, 11875069
section iast
Agent [baseline] (1.76 s) : 0, 1759598
Total [baseline] (12.839 s) : 0, 12838911
Agent [candidate] (1.75 s) : 0, 1750307
Total [candidate] (12.751 s) : 0, 12750509
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.746 s) : 0, 1746382
Total [baseline] (12.735 s) : 0, 12734706
Agent [candidate] (1.75 s) : 0, 1749970
Total [candidate] (12.749 s) : 0, 12748780
section iast_TELEMETRY_OFF
Agent [baseline] (1.745 s) : 0, 1745002
Total [baseline] (12.766 s) : 0, 12765757
Agent [candidate] (1.745 s) : 0, 1745040
Total [candidate] (12.824 s) : 0, 12824491

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.584 s	-
Agent	iast	1.76 s	175.452 ms (11.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.746 s	162.237 ms (10.2%)
Agent	iast_TELEMETRY_OFF	1.745 s	160.857 ms (10.2%)
Total	tracing	11.91 s	-
Total	iast	12.839 s	928.972 ms (7.8%)
Total	iast_HARDCODED_SECRET_DISABLED	12.735 s	824.768 ms (6.9%)
Total	iast_TELEMETRY_OFF	12.766 s	855.819 ms (7.2%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.58 s	-
Agent	iast	1.75 s	170.415 ms (10.8%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.75 s	170.077 ms (10.8%)
Agent	iast_TELEMETRY_OFF	1.745 s	165.147 ms (10.5%)
Total	tracing	11.875 s	-
Total	iast	12.751 s	875.44 ms (7.4%)
Total	iast_HARDCODED_SECRET_DISABLED	12.749 s	873.712 ms (7.4%)
Total	iast_TELEMETRY_OFF	12.824 s	949.422 ms (8.0%)

gantt
    title insecure-bank - break down per module: candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (1.012 s) : 0, 1011645
BytebuddyAgent [candidate] (1.01 s) : 0, 1010117
GlobalTracer [baseline] (465.273 ms) : 0, 465273
GlobalTracer [candidate] (463.625 ms) : 0, 463625
AppSec [baseline] (75.76 ms) : 0, 75760
AppSec [candidate] (75.348 ms) : 0, 75348
Remote Config [baseline] (812.257 µs) : 0, 812
Remote Config [candidate] (818.355 µs) : 0, 818
Telemetry [baseline] (10.533 ms) : 0, 10533
Telemetry [candidate] (9.816 ms) : 0, 9816
section iast
BytebuddyAgent [baseline] (1.181 s) : 0, 1180572
BytebuddyAgent [candidate] (1.174 s) : 0, 1174032
GlobalTracer [baseline] (443.95 ms) : 0, 443950
GlobalTracer [candidate] (442.734 ms) : 0, 442734
AppSec [baseline] (77.542 ms) : 0, 77542
AppSec [candidate] (77.676 ms) : 0, 77676
Remote Config [baseline] (756.881 µs) : 0, 757
Remote Config [candidate] (728.025 µs) : 0, 728
Telemetry [baseline] (9.489 ms) : 0, 9489
Telemetry [candidate] (9.308 ms) : 0, 9308
IAST [baseline] (27.029 ms) : 0, 27029
IAST [candidate] (25.613 ms) : 0, 25613
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (1.171 s) : 0, 1170624
BytebuddyAgent [candidate] (1.174 s) : 0, 1173650
GlobalTracer [baseline] (441.816 ms) : 0, 441816
GlobalTracer [candidate] (442.212 ms) : 0, 442212
AppSec [baseline] (76.102 ms) : 0, 76102
AppSec [candidate] (75.942 ms) : 0, 75942
Remote Config [baseline] (746.236 µs) : 0, 746
Remote Config [candidate] (756.298 µs) : 0, 756
Telemetry [baseline] (9.427 ms) : 0, 9427
Telemetry [candidate] (9.536 ms) : 0, 9536
IAST [baseline] (27.574 ms) : 0, 27574
IAST [candidate] (27.646 ms) : 0, 27646
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (1.169 s) : 0, 1169292
BytebuddyAgent [candidate] (1.169 s) : 0, 1168662
GlobalTracer [baseline] (441.526 ms) : 0, 441526
GlobalTracer [candidate] (441.728 ms) : 0, 441728
AppSec [baseline] (77.582 ms) : 0, 77582
AppSec [candidate] (77.853 ms) : 0, 77853
Remote Config [baseline] (745.318 µs) : 0, 745
Remote Config [candidate] (754.597 µs) : 0, 755
Telemetry [baseline] (9.353 ms) : 0, 9353
Telemetry [candidate] (9.359 ms) : 0, 9359
IAST [baseline] (26.394 ms) : 0, 26394
IAST [candidate] (26.504 ms) : 0, 26504

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.58 s) : 0, 1580158
Total [baseline] (14.377 s) : 0, 14376746
Agent [candidate] (1.583 s) : 0, 1583179
Total [candidate] (14.48 s) : 0, 14480188
section appsec
Agent [baseline] (1.791 s) : 0, 1790705
Total [baseline] (14.594 s) : 0, 14594464
Agent [candidate] (1.783 s) : 0, 1782871
Total [candidate] (14.644 s) : 0, 14643669
section iast
Agent [baseline] (1.764 s) : 0, 1763724
Total [baseline] (15.068 s) : 0, 15068145
Agent [candidate] (1.758 s) : 0, 1758113
Total [candidate] (14.994 s) : 0, 14994350
section profiling
Agent [baseline] (1.9 s) : 0, 1899916
Total [baseline] (14.776 s) : 0, 14775562
Agent [candidate] (1.906 s) : 0, 1905641
Total [candidate] (14.8 s) : 0, 14799748

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.58 s	-
Agent	appsec	1.791 s	210.547 ms (13.3%)
Agent	iast	1.764 s	183.567 ms (11.6%)
Agent	profiling	1.9 s	319.759 ms (20.2%)
Total	tracing	14.377 s	-
Total	appsec	14.594 s	217.718 ms (1.5%)
Total	iast	15.068 s	691.399 ms (4.8%)
Total	profiling	14.776 s	398.816 ms (2.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.583 s	-
Agent	appsec	1.783 s	199.691 ms (12.6%)
Agent	iast	1.758 s	174.934 ms (11.0%)
Agent	profiling	1.906 s	322.461 ms (20.4%)
Total	tracing	14.48 s	-
Total	appsec	14.644 s	163.481 ms (1.1%)
Total	iast	14.994 s	514.162 ms (3.6%)
Total	profiling	14.8 s	319.56 ms (2.2%)

gantt
    title petclinic - break down per module: candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (1.011 s) : 0, 1010522
BytebuddyAgent [candidate] (1.011 s) : 0, 1011429
GlobalTracer [baseline] (463.628 ms) : 0, 463628
GlobalTracer [candidate] (463.8 ms) : 0, 463800
AppSec [baseline] (75.283 ms) : 0, 75283
AppSec [candidate] (75.551 ms) : 0, 75551
Remote Config [baseline] (818.822 µs) : 0, 819
Remote Config [candidate] (815.103 µs) : 0, 815
Telemetry [baseline] (9.808 ms) : 0, 9808
Telemetry [candidate] (11.356 ms) : 0, 11356
section appsec
BytebuddyAgent [baseline] (1.04 s) : 0, 1039579
BytebuddyAgent [candidate] (1.036 s) : 0, 1036222
GlobalTracer [baseline] (461.579 ms) : 0, 461579
GlobalTracer [candidate] (459.829 ms) : 0, 459829
AppSec [baseline] (243.907 ms) : 0, 243907
AppSec [candidate] (243.421 ms) : 0, 243421
Remote Config [baseline] (816.857 µs) : 0, 817
Remote Config [candidate] (778.792 µs) : 0, 779
Telemetry [baseline] (10.753 ms) : 0, 10753
Telemetry [candidate] (10.156 ms) : 0, 10156
IAST [baseline] (27.762 ms) : 0, 27762
IAST [candidate] (24.546 ms) : 0, 24546
section iast
BytebuddyAgent [baseline] (1.183 s) : 0, 1183467
BytebuddyAgent [candidate] (1.18 s) : 0, 1179710
GlobalTracer [baseline] (445.121 ms) : 0, 445121
GlobalTracer [candidate] (443.418 ms) : 0, 443418
AppSec [baseline] (77.211 ms) : 0, 77211
AppSec [candidate] (75.755 ms) : 0, 75755
Remote Config [baseline] (790.1 µs) : 0, 790
Remote Config [candidate] (760.966 µs) : 0, 761
Telemetry [baseline] (9.645 ms) : 0, 9645
Telemetry [candidate] (9.529 ms) : 0, 9529
IAST [baseline] (27.185 ms) : 0, 27185
IAST [candidate] (28.58 ms) : 0, 28580
section profiling
BytebuddyAgent [baseline] (1.003 s) : 0, 1002584
BytebuddyAgent [candidate] (1.003 s) : 0, 1003402
GlobalTracer [baseline] (593.003 ms) : 0, 593003
GlobalTracer [candidate] (591.931 ms) : 0, 591931
AppSec [baseline] (75.757 ms) : 0, 75757
AppSec [candidate] (75.921 ms) : 0, 75921
Remote Config [baseline] (814.274 µs) : 0, 814
Remote Config [candidate] (820.087 µs) : 0, 820
Telemetry [baseline] (13.747 ms) : 0, 13747
Telemetry [candidate] (13.1 ms) : 0, 13100
ProfilingAgent [baseline] (156.505 ms) : 0, 156505
ProfilingAgent [candidate] (162.847 ms) : 0, 162847
Profiling [baseline] (156.56 ms) : 0, 156560
Profiling [candidate] (162.901 ms) : 0, 162901

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-10-28T07:24:10	2024-10-28T07:31:01
git_branch	master	smola/ci-trivy-docker-login
git_commit_date	1729847668	1730099564
git_commit_sha	`7010cb8`	`5226fc9`
release_version	1.42.0-SNAPSHOT~7010cb865c	1.42.0-SNAPSHOT~5226fc996b
start_time	2024-10-28T07:23:57	2024-10-28T07:30:47

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1730101008	1730101008
ci_job_id	685902469	685902469
ci_pipeline_id	47566372	47566372
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c
    dateFormat X
    axisFormat %s
section baseline
no_agent (368.917 µs) : 349, 389
.   : milestone, 369,
iast (486.154 µs) : 464, 508
.   : milestone, 486,
iast_FULL (635.372 µs) : 614, 657
.   : milestone, 635,
iast_GLOBAL (530.647 µs) : 509, 553
.   : milestone, 531,
iast_HARDCODED_SECRET_DISABLED (477.758 µs) : 457, 499
.   : milestone, 478,
iast_INACTIVE (438.025 µs) : 417, 459
.   : milestone, 438,
iast_TELEMETRY_OFF (471.938 µs) : 451, 493
.   : milestone, 472,
tracing (439.811 µs) : 419, 461
.   : milestone, 440,
section candidate
no_agent (360.761 µs) : 341, 381
.   : milestone, 361,
iast (489.128 µs) : 467, 511
.   : milestone, 489,
iast_FULL (637.008 µs) : 616, 658
.   : milestone, 637,
iast_GLOBAL (508.823 µs) : 488, 530
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (488.115 µs) : 467, 509
.   : milestone, 488,
iast_INACTIVE (439.858 µs) : 419, 461
.   : milestone, 440,
iast_TELEMETRY_OFF (472.546 µs) : 451, 494
.   : milestone, 473,
tracing (436.35 µs) : 416, 457
.   : milestone, 436,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	368.917 µs [349.041 µs, 388.792 µs]	-
iast	486.154 µs [464.135 µs, 508.173 µs]	117.237 µs (31.8%)
iast_FULL	635.372 µs [614.118 µs, 656.626 µs]	266.455 µs (72.2%)
iast_GLOBAL	530.647 µs [508.587 µs, 552.707 µs]	161.73 µs (43.8%)
iast_HARDCODED_SECRET_DISABLED	477.758 µs [456.755 µs, 498.761 µs]	108.841 µs (29.5%)
iast_INACTIVE	438.025 µs [417.32 µs, 458.731 µs]	69.109 µs (18.7%)
iast_TELEMETRY_OFF	471.938 µs [450.747 µs, 493.129 µs]	103.021 µs (27.9%)
tracing	439.811 µs [418.716 µs, 460.906 µs]	70.894 µs (19.2%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	360.761 µs [341.016 µs, 380.505 µs]	-
iast	489.128 µs [467.49 µs, 510.766 µs]	128.367 µs (35.6%)
iast_FULL	637.008 µs [615.617 µs, 658.398 µs]	276.247 µs (76.6%)
iast_GLOBAL	508.823 µs [487.713 µs, 529.934 µs]	148.063 µs (41.0%)
iast_HARDCODED_SECRET_DISABLED	488.115 µs [467.24 µs, 508.99 µs]	127.355 µs (35.3%)
iast_INACTIVE	439.858 µs [419.203 µs, 460.512 µs]	79.097 µs (21.9%)
iast_TELEMETRY_OFF	472.546 µs [451.316 µs, 493.776 µs]	111.785 µs (31.0%)
tracing	436.35 µs [415.887 µs, 456.812 µs]	75.589 µs (21.0%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~5226fc996b, baseline=1.42.0-SNAPSHOT~7010cb865c
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1318, 1357
.   : milestone, 1338,
appsec (1.714 ms) : 1689, 1738
.   : milestone, 1714,
appsec_no_iast (1.703 ms) : 1678, 1727
.   : milestone, 1703,
iast (1.469 ms) : 1446, 1492
.   : milestone, 1469,
profiling (1.473 ms) : 1450, 1495
.   : milestone, 1473,
tracing (1.456 ms) : 1432, 1480
.   : milestone, 1456,
section candidate
no_agent (1.333 ms) : 1313, 1352
.   : milestone, 1333,
appsec (1.728 ms) : 1706, 1751
.   : milestone, 1728,
appsec_no_iast (1.732 ms) : 1708, 1755
.   : milestone, 1732,
iast (1.475 ms) : 1452, 1497
.   : milestone, 1475,
profiling (1.471 ms) : 1448, 1493
.   : milestone, 1471,
tracing (1.459 ms) : 1435, 1483
.   : milestone, 1459,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.338 ms [1.318 ms, 1.357 ms]	-
appsec	1.714 ms [1.689 ms, 1.738 ms]	376.105 µs (28.1%)
appsec_no_iast	1.703 ms [1.678 ms, 1.727 ms]	364.876 µs (27.3%)
iast	1.469 ms [1.446 ms, 1.492 ms]	131.274 µs (9.8%)
profiling	1.473 ms [1.45 ms, 1.495 ms]	134.994 µs (10.1%)
tracing	1.456 ms [1.432 ms, 1.48 ms]	117.986 µs (8.8%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.333 ms [1.313 ms, 1.352 ms]	-
appsec	1.728 ms [1.706 ms, 1.751 ms]	395.587 µs (29.7%)
appsec_no_iast	1.732 ms [1.708 ms, 1.755 ms]	398.732 µs (29.9%)
iast	1.475 ms [1.452 ms, 1.497 ms]	141.651 µs (10.6%)
profiling	1.471 ms [1.448 ms, 1.493 ms]	137.952 µs (10.4%)
tracing	1.459 ms [1.435 ms, 1.483 ms]	126.058 µs (9.5%)

Dacapo

smola · 2024-10-28T14:20:59Z

Discarded in favor of #7841

smola added tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels Oct 23, 2024

smola force-pushed the smola/ci-trivy-docker-login branch from 5eaa988 to 87571df Compare October 23, 2024 12:24

smola changed the title ~~Use docker login before Trivy action~~ Update trivy action and use GITHUB_TOKEN Oct 23, 2024

smola added 2 commits October 23, 2024 15:47

Use docker login before Trivy action

3b07dfd

Set GITHUB_TOKEN env var for Trivy

03c62bf

smola force-pushed the smola/ci-trivy-docker-login branch from 2b5dd19 to bccbc78 Compare October 23, 2024 13:47

Upgrade to trivy-action v0.28.0

ed89a8d

smola force-pushed the smola/ci-trivy-docker-login branch from bccbc78 to ed89a8d Compare October 23, 2024 13:48

Pin setup-trivy

ff4ae00

smola force-pushed the smola/ci-trivy-docker-login branch from 88cc78c to e2bbce2 Compare October 23, 2024 14:14

Pin trivy-action to main

afe860c

smola force-pushed the smola/ci-trivy-docker-login branch from e2bbce2 to afe860c Compare October 23, 2024 14:26

PerfectSlayer mentioned this pull request Oct 28, 2024

Fix Trivy database pull #7841

Merged

5 tasks

Merge branch 'master' into smola/ci-trivy-docker-login

5226fc9

smola closed this Oct 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update trivy action and use GITHUB_TOKEN #7829

Update trivy action and use GITHUB_TOKEN #7829

smola commented Oct 23, 2024 •

edited

Loading

pr-commenter bot commented Oct 23, 2024 •

edited

Loading

smola commented Oct 28, 2024

Update trivy action and use GITHUB_TOKEN #7829

Update trivy action and use GITHUB_TOKEN #7829

Conversation

smola commented Oct 23, 2024 • edited Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Oct 23, 2024 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

smola commented Oct 28, 2024

smola commented Oct 23, 2024 •

edited

Loading

pr-commenter bot commented Oct 23, 2024 •

edited

Loading