trivy-action
trivy-action copied to clipboard
aquasecurity
Demonstrate how to use --cache-dir flag with GitHub cache action
Trivy has the --cache-dir flag to point to the location where DB and image layers are cached. If we combine that with the https://github.com/actions/cache we can speed up some build jobs.
Hey @danielpacak - I tried to look into this and observed the following:
-
trivy imagedoesn't support the--cache-dirflag - not sure why - When the
aquasec/trivycontainer runs, I believe it creates/root/.cache/trivyinside theaquasec/trivycontainer. Foractions/cacheto cache that directory, it needs to live on the host filesystem. Maybe this can be achieved by mounting a volume like so:docker run --rm -v ~/.cache:/root/.cache aquasec/trivy [image-ref]
tl;dr: this proved to be more complicated than I anticipated 😅
Hi @danielpacak
I am also trying to run Trivy with Tekton based with an example
https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml
I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning.
Kevin
Hi @danielpacak
I am also trying to run Trivy with Tekton based with an example
https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml
I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning.
Kevin
The --cache-dir flag is the global option. Check the output of trivy -h instead of trivy image -h and you'll get it. I checked Trivy v0.12.0 and it's there
Hi @danielpacak I am also trying to run Trivy with Tekton based with an example https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning. Kevin
The
--cache-dirflag is the global option. Check the output oftrivy -hinstead oftrivy image -hand you'll get it. I checked Trivy v0.12.0 and it's there
Sadly, that doesn't make sense. I tried trivy-action in our GH workflow in several versions, and indeed the cache-dir flag doesn't work: Incorrect Usage: flag provided but not defined: -cache-dir
My GH workflow step looks like this:
- name: Scan branch for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'table'
exit-code: '1'
cache-dir: /tmp/.cache
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
@bluedigits See #50 and associated PR, that seems to resolve the error you are facing.
However, even with that fix I don't think the integration with GH actions is working, I still see the DB being downloaded on every run. I suspect the cache-dir also needs to be mounted as a volume on the Docker image which is not the case currently.
I'll try to look into this a bit more tomorrow.
Okay, got the cache to work using the fix proposed in PR #51 along with the following workflow:
- uses: actions/[email protected]
with:
path: .trivy
key: ${{ runner.os }}-trivy-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
- name: Scan image for vulnerabilities
uses: vlaurin/trivy-action@fix/cache-dir # Temporarily using fix branch instead of aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
vuln-type: 'os'
cache-dir: .trivy
- name: Correct Trivy cache permissions
run: sudo chown -R $USER:$GROUP .trivy
Few things to note:
- It's crucial for the Trivy cache directory to be created under the default working directory (
$GITHUB_WORKSPACE) as this directory is the one being mounted as a volume on Docker actions like trivy-action and for the cache directory to be usable by Trivy it does need to be mounted as a volume. - Files and folders created by Trivy inside trivy-action on the mounted volume are owned by
root:rootinstead of the usualrunner:dockerwhich own other files in the Github workspace. If left as is this causes a "permission denied" error when the cache action then tries to read the.trivyfolder. To resolve this, we need ownership to be transferred torunner:dockerwhich is what the step "Correct Trivy cache permissions" is doing.
aquasecurity/trivy-action@master action works with actions/cache@v3
I've create trivy-cache-action it uses GitHub's packages/container/{name}/version API to get latest DB SHA256 and use it for the cache key. This actions is equivalent to below steps
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "::set-output name=sha::${sha}"
- uses: actions/cache@v3
with:
path: .trivy
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: my-image:v1.0.0
exit-code: '1'
ignore-unfixed: true
cache-dir: .trivy
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
@vlaurin mentioned I had to use fix the permission on the .trivy directory other wise you get below error
Warning: EACCES: permission denied, scandir '/home/runner/work/***/***/.trivy
Maybe trivy can change the permission when downloading db so it can be easily cached?
