ci(trivy): Trivy fixes - use CLI instead of action (#313)

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
grafana · Jan 9, 2025 · 37acba5 · 37acba5
1 parent 36f1534
commit 37acba5
Showing 1 changed file with 33 additions and 25 deletions.
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -10,32 +10,40 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Run Trivy vulnerability scanner (table output)
-      uses: aquasecurity/trivy-action@0.29.0
-      with:
-        scan-type: 'fs'
-        scanners: 'vuln'
-        format: 'table'
-        exit-code: 1
-        ignore-unfixed: true
-        vuln-type: 'os,library'
-        severity: 'CRITICAL,HIGH'
-        trivyignores: .trivyignore
-    - name: Run Trivy vulnerability scanner (SARIF)
-      uses: aquasecurity/trivy-action@0.29.0
+    - name: Install Trivy
+      uses: aquasecurity/setup-trivy@v0.2.2
       with:
-        scan-type: 'fs'
-        scanners: 'vuln'
-        # Note: The SARIF format ignores severity and uploads all vulns for
-        # later triage. The table-format step above is used to fail the build
-        # if there are any critical or high vulnerabilities.
-        # See https://github.com/aquasecurity/trivy-action/issues/95
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-        ignore-unfixed: true
-        vuln-type: 'os,library'
-        trivyignores: .trivyignore
-      if: always() && github.repository == 'grafana/certmagic-gcs'
+        version: v0.58.1
+        cache: true
+    - name: Download Trivy DB
+      run: |
+        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
+    - name: Run Trivy vulnerability scanner (table output)
+      # Use the trivy binary rather than the aquasecurity/trivy-action action
+      # to avoid a few bugs
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format table \
+          --exit-code 1 \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --severity CRITICAL,HIGH \
+          --ignorefile .trivyignore \
+          --skip-db-update \
+          .
+    - name: Run Trivy vulnerability scanner
+      # Use the trivy binary rather than the aquasecurity/trivy-action action
+      # to avoid a few bugs
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format sarif \
+          --output trivy-results.sarif \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --skip-db-update \
+          .
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3
       with: