Workaround for ghcr rate limiting of trivy db downloads (#1770)

* Workaround for ghcr rate limiting of trivy db downloads * Use env for settings + bump codeql action * Update checkout action * Better doc
2024-10-07 13:03:46 -04:00 · 2024-10-07 13:03:46 -04:00 · f6da036619
parent 093fbbc0f3
commit f6da036619
1 changed files with 8 additions and 2 deletions
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@ -14,10 +14,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Run static analysis
        uses: aquasecurity/trivy-action@master
+        env:
+          # Workaround for rate limiting on ghcr. Use these two entries for ghcr related TOOMANYREQUESTS errors.
+          TRVIY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRVIY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: 'fs'
          vuln-type: 'library'
@ -28,8 +32,10 @@ jobs:
          severity: 'MEDIUM,HIGH,CRITICAL'


+
+
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'Trivy-security-scan'