diff --git a/action.yml b/action.yml index 4a24829..a1a1b5d 100644 --- a/action.yml +++ b/action.yml @@ -90,6 +90,15 @@ runs: # Scan for security vulnerabilities # + - name: Restore trivy cache + id: cache-trivy-restore + uses: actions/cache/restore@v4 + with: + path: .trivy + key: ${{ runner.os }}-trivy-${{ github.job }}-${{ github.run_id }} + restore-keys: | + ${{ runner.os }}-trivy- + # https://github.com/aquasecurity/trivy-action # Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518 - name: Create SBOM @@ -101,6 +110,7 @@ runs: format: 'cyclonedx' # spdx-json template: '@/contrib/junit.tpl' output: "${{ env.REPORT_SLUG }}-sbom.json" + cache-dir: .trivy - name: Use existing SBOM if: "${{ inputs.scan-ref != '' }}" shell: bash @@ -134,6 +144,7 @@ runs: ignore-unfixed: true vuln-type: 'os,library' severity: ${{ inputs.fail-for }} + cache-dir: .trivy - name: Create vulnerability report as HTML uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 @@ -143,6 +154,7 @@ runs: format: 'template' template: '@/contrib/html.tpl' output: ${{ env.REPORT_FILENAME }} + cache-dir: .trivy - name: Upload vulnerability report uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() @@ -165,6 +177,7 @@ runs: format: 'template' template: '@trivy-summary.tpl' output: 'trivy.md' + cache-dir: .trivy - name: Add to job summary if: ${{ inputs.create-summary == 'true' }} shell: bash @@ -172,6 +185,18 @@ runs: echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY cat trivy.md >> $GITHUB_STEP_SUMMARY + # Save trivy cache + - name: Fix .trivy permissions + shell: bash + run: sudo chown -R $(stat . -c %u:%g) .trivy + - name: Save trivy cache + if: always() # always save + id: cache-trivy-save + uses: actions/cache/save@v4 + with: + path: .trivy + key: ${{ steps.cache-trivy-restore.outputs.cache-primary-key }} + # # Report on unit tests and critical vulnerabilities #