diff --git a/action.yml b/action.yml index 92b4a8d..a1a1b5d 100644 --- a/action.yml +++ b/action.yml @@ -56,7 +56,7 @@ runs: uses: jaxxstorm/action-install-gh-release@25d5e2dd555cd74f1fab9ac1e6ea117acde2c0c4 # v1.12.0 with: repo: CycloneDX/cyclonedx-cli - tag: v0.25.1 # optional, otherwise use latest + tag: v0.27.1 # optional, otherwise use latest # extension-matching: disable # disable extension matching because artifacts are binaries @@ -90,17 +90,27 @@ runs: # Scan for security vulnerabilities # + - name: Restore trivy cache + id: cache-trivy-restore + uses: actions/cache/restore@v4 + with: + path: .trivy + key: ${{ runner.os }}-trivy-${{ github.job }}-${{ github.run_id }} + restore-keys: | + ${{ runner.os }}-trivy- + # https://github.com/aquasecurity/trivy-action # Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518 - name: Create SBOM if: "${{ inputs.scan-ref == '' }}" - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: image-ref: '${{ inputs.image-ref }}' scan-type: "${{ inputs.image-ref != '' && 'image' || 'fs' }}" format: 'cyclonedx' # spdx-json template: '@/contrib/junit.tpl' output: "${{ env.REPORT_SLUG }}-sbom.json" + cache-dir: .trivy - name: Use existing SBOM if: "${{ inputs.scan-ref != '' }}" shell: bash @@ -123,7 +133,7 @@ runs: # https://github.com/aquasecurity/trivy-action - name: Scan for critical vulnerabilities (create JUnit report) - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 if: "${{ inputs.junit-test-output != '' || inputs.create-test-report }}" with: scan-ref: "${{ env.REPORT_SLUG }}-sbom.json" @@ -134,15 +144,17 @@ runs: ignore-unfixed: true vuln-type: 'os,library' severity: ${{ inputs.fail-for }} + cache-dir: .trivy - name: Create vulnerability report as HTML - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-ref: "${{ env.REPORT_SLUG }}-sbom.json" scan-type: sbom format: 'template' template: '@/contrib/html.tpl' output: ${{ env.REPORT_FILENAME }} + cache-dir: .trivy - name: Upload vulnerability report uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() @@ -158,13 +170,14 @@ runs: cp ${GITHUB_ACTION_PATH}/summary.tpl ./trivy-summary.tpl - name: Create summary on vulnerabilities if: ${{ inputs.create-summary == 'true' }} - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-ref: "${{ env.REPORT_SLUG }}-sbom.json" scan-type: sbom format: 'template' template: '@trivy-summary.tpl' output: 'trivy.md' + cache-dir: .trivy - name: Add to job summary if: ${{ inputs.create-summary == 'true' }} shell: bash @@ -172,6 +185,18 @@ runs: echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY cat trivy.md >> $GITHUB_STEP_SUMMARY + # Save trivy cache + - name: Fix .trivy permissions + shell: bash + run: sudo chown -R $(stat . -c %u:%g) .trivy + - name: Save trivy cache + if: always() # always save + id: cache-trivy-save + uses: actions/cache/save@v4 + with: + path: .trivy + key: ${{ steps.cache-trivy-restore.outputs.cache-primary-key }} + # # Report on unit tests and critical vulnerabilities #