-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy allow alt db #391
Trivy allow alt db #391
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀 🙏🏻
This is already possible by specifying the trivy config.yaml as an input to the action https://aquasecurity.github.io/trivy/v0.55/docs/references/configuration/config-file/#db-options You can see an example here: https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#scan-ci-pipeline-w-trivy-config |
@billhammond-dev You can also specify these via environment variables in the trivy scan step (documented here):
We are also looking to use AWS ECR pull through cache repositories to workaround. |
So, if I understand this correctly: I, as the consumer of this action, must download copies of these DBs and store them on my own registry. Then, I must pass environment variables to the action which point at my copies of the DBs. Is that correct? How often are these DBs updated? |
This change allows users to select an alternative DB repo for the database.
I have tested this without the new input being specified, and also by using an ECR pull through repo pointing back at GHCR as the input for the alternative db repository. This will allow for a workaround in case of issues with GHCR/etc and also (if enough folks use this) reduce direct load on GHCR