search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
763 stars 220 forks source link

Demonstrate how to use --cache-dir flag with GitHub cache action #12

Open danielpacak opened 4 years ago

danielpacak commented 4 years ago

Trivy has the --cache-dir flag to point to the location where DB and image layers are cached. If we combine that with the https://github.com/actions/cache we can speed up some build jobs.

kgeorgiou commented 3 years ago

Hey @danielpacak - I tried to look into this and observed the following:

  1. trivy image doesn't support the --cache-dir flag - not sure why
  2. When the aquasec/trivy container runs, I believe it creates /root/.cache/trivy inside the aquasec/trivy container. For actions/cache to cache that directory, it needs to live on the host filesystem. Maybe this can be achieved by mounting a volume like so: docker run --rm -v ~/.cache:/root/.cache aquasec/trivy [image-ref]

tl;dr: this proved to be more complicated than I anticipated 😅

linuxbsdfreak commented 3 years ago

Hi @danielpacak

I am also trying to run Trivy with Tekton based with an example

https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml

I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning.

Kevin

danielpacak commented 3 years ago

Hi @danielpacak

I am also trying to run Trivy with Tekton based with an example

https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml

I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning.

Kevin

The --cache-dir flag is the global option. Check the output of trivy -h instead of trivy image -h and you'll get it. I checked Trivy v0.12.0 and it's there

merlinrabens commented 3 years ago

Hi @danielpacak I am also trying to run Trivy with Tekton based with an example https://github.com/lumjjb/tekton-demo/blob/master/yamls/build-img-task.yaml https://github.com/lumjjb/tekton-demo/blob/master/yamls/update-trivy.yaml I also see that there is no --cache-dir flag. I was wondering whether that has been removed. Would be nice to have the trivy db downloaded and image layers cached for faster scanning. Kevin

The --cache-dir flag is the global option. Check the output of trivy -h instead of trivy image -h and you'll get it. I checked Trivy v0.12.0 and it's there

Sadly, that doesn't make sense. I tried trivy-action in our GH workflow in several versions, and indeed the cache-dir flag doesn't work: Incorrect Usage: flag provided but not defined: -cache-dir My GH workflow step looks like this:

      - name: Scan branch for vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'table'
          exit-code: '1'
          cache-dir: /tmp/.cache
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
vlaurin commented 3 years ago

@bluedigits See #50 and associated PR, that seems to resolve the error you are facing.

However, even with that fix I don't think the integration with GH actions is working, I still see the DB being downloaded on every run. I suspect the cache-dir also needs to be mounted as a volume on the Docker image which is not the case currently.

I'll try to look into this a bit more tomorrow.

vlaurin commented 3 years ago

Okay, got the cache to work using the fix proposed in PR #51 along with the following workflow:

      - uses: actions/cache@v2.1.4
        with:
          path: .trivy
          key: ${{ runner.os }}-trivy-${{ github.run_id }}
          restore-keys: |
            ${{ runner.os }}-trivy-

      - name: Scan image for vulnerabilities
        uses: vlaurin/trivy-action@fix/cache-dir # Temporarily using fix branch instead of aquasecurity/trivy-action@master
        with:
          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          vuln-type: 'os'
          cache-dir: .trivy

      - name: Correct Trivy cache permissions
        run: sudo chown -R $USER:$GROUP .trivy

Few things to note:

yogeshlonkar commented 2 years ago

aquasecurity/trivy-action@master action works with actions/cache@v3

I've create trivy-cache-action it uses GitHub's packages/container/{name}/version API to get latest DB SHA256 and use it for the cache key. This actions is equivalent to below steps

- id: trivy-db
  name: Check trivy db sha
  env:
    GH_TOKEN: ${{ github.token }}
  run: |
    endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
    headers='Accept: application/vnd.github+json'
    jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
    sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
    echo "Trivy DB sha256:${sha}"
    echo "::set-output name=sha::${sha}"
- uses: actions/cache@v3
  with:
    path: .trivy
    key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Vulnerability scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: my-image:v1.0.0
    exit-code: '1'
    ignore-unfixed: true
    cache-dir: .trivy
- name: Fix .trivy permissions
  run: sudo chown -R $(stat . -c %u:%g) .trivy

@vlaurin mentioned I had to use fix the permission on the .trivy directory other wise you get below error

Warning: EACCES: permission denied, scandir '/home/runner/work/***/***/.trivy

Maybe trivy can change the permission when downloading db so it can be easily cached?

BretFisher commented 1 year ago

I'd love it if GHA caching was enabled out of the box like the Docker Build Action does it.