Update to use trivy action (#249)

Tim Middleton · web-flow · commit 7b55c07ac2ca · 2024-11-22T12:48:11.000+08:00
* Update to use trivy action
* Minor fix
diff --git a/.github/workflows/build-trivy.yaml b/.github/workflows/build-trivy.yaml
@@ -27,36 +27,9 @@ jobs:
       with:
         fetch-depth: 0
 
-    - name: Setup oras
-      run: |
-        VERSION="1.2.0"
-        curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
-        mkdir -p oras-install/
-        tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
-        sudo mv oras-install/oras /usr/local/bin/
-        rm -rf oras_${VERSION}_*.tar.gz oras-install/
-
-    - name: Get current date
-      id: date
-      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
-
-    - name: Download and extract the vulnerability DB
-      run: |
-        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
-        oras pull ghcr.io/aquasecurity/trivy-db:2
-        tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
-        rm db.tar.gz
-
-    - name: Download and extract the Java DB
-      run: |
-        mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
-        oras pull ghcr.io/aquasecurity/trivy-java-db:1
-        tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
-        rm javadb.tar.gz
-
-    - name: Trivy Scan
-      shell: bash
-      run: |
-        echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
-        export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy
-        make trivy-scan
+    - name: Run Trivy vulnerability scanner to scan repo
+      uses: aquasecurity/trivy-action@0.29.0
+      with:
+        scan-type: 'fs'
+        skip-dirs: 'java'
+        exit-code: 1
diff --git a/Makefile b/Makefile
@@ -395,10 +395,6 @@ golangci: $(TOOLS_BIN)/golangci-lint ## Go code review
 # ======================================================================================================================
 ##@ Miscellaneous
 
-.PHONY: trivy-scan
-trivy-scan: gettrivy ## Scan the CLI using trivy
-	$(TOOLS_BIN)/trivy fs --cache-dir ${TRIVY_CACHE} --exit-code 1 .
-
 # ======================================================================================================================
 # Test targets
 # ======================================================================================================================
@@ -590,14 +586,6 @@ getcopyright: ## Download copyright jar locally if necessary.
 	@test -f scripts/$(COPYRIGHT_JAR)  || curl -o scripts/$(COPYRIGHT_JAR) \
 		https://repo.maven.apache.org/maven2/org/glassfish/copyright/glassfish-copyright-maven-plugin/2.4/glassfish-copyright-maven-plugin-2.4.jar
 
-# ----------------------------------------------------------------------------------------------------------------------
-# Find or download trivy
-# ----------------------------------------------------------------------------------------------------------------------
-.PHONY: gettrivy
-gettrivy:
-	@mkdir -p $(TOOLS_BIN)
-	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(TOOLS_BIN) v0.51.2
-
 # go-get-tool will 'go get' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-get-tool
