feat: cache trivy database

wetransform · Sep 25, 2024 · 7e651c2 · 7e651c2
1 parent 20f3905
commit 7e651c2
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/action.yml b/action.yml
@@ -90,6 +90,15 @@ runs:
     # Scan for security vulnerabilities
     #
 
+    - name: Restore trivy cache
+      id: cache-trivy-restore
+      uses: actions/cache/restore@v4
+      with:
+        path: .trivy
+        key: ${{ runner.os }}-trivy-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+            ${{ runner.os }}-trivy-
+
       # https://github.com/aquasecurity/trivy-action
       # Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518
     - name: Create SBOM
@@ -101,6 +110,7 @@ runs:
         format: 'cyclonedx' # spdx-json
         template: '@/contrib/junit.tpl'
         output: "${{ env.REPORT_SLUG }}-sbom.json"
+        cache-dir: .trivy
     - name: Use existing SBOM
       if: "${{ inputs.scan-ref != '' }}"
       shell: bash
@@ -134,6 +144,7 @@ runs:
         ignore-unfixed: true
         vuln-type: 'os,library'
         severity: ${{ inputs.fail-for }}
+        cache-dir: .trivy
 
     - name: Create vulnerability report as HTML
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
@@ -143,6 +154,7 @@ runs:
         format: 'template'
         template: '@/contrib/html.tpl'
         output: ${{ env.REPORT_FILENAME }}
+        cache-dir: .trivy
     - name: Upload vulnerability report
       uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       if: always()
@@ -165,13 +177,26 @@ runs:
         format: 'template'
         template: '@trivy-summary.tpl'
         output: 'trivy.md'
+        cache-dir: .trivy
     - name: Add to job summary
       if: ${{ inputs.create-summary == 'true' }}
       shell: bash
       run: |
         echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY
         cat trivy.md >> $GITHUB_STEP_SUMMARY
 
+      # Save trivy cache
+    - name: Fix .trivy permissions
+      shell: bash
+      run: sudo chown -R $(stat . -c %u:%g) .trivy
+    - name: Save trivy cache
+      if: always() # always save
+      id: cache-trivy-save
+      uses: actions/cache/save@v4
+      with:
+        path: .trivy
+        key: ${{ steps.cache-trivy-restore.outputs.cache-primary-key }}
+
     #
     # Report on unit tests and critical vulnerabilities
     #