ci: use custom trivy database image

ref. discussion found here: aquasecurity/trivy#7538 (comment)
nrkno · Sep 26, 2024 · ccaeedb · ccaeedb
1 parent 56a5a6c
commit ccaeedb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml
@@ -233,7 +233,7 @@ jobs:
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
         uses: aquasecurity/[email protected]
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
           image-ref: "${{ steps.trivy-image.outputs.image }}"
           format: "table"
@@ -383,6 +383,8 @@ jobs:
       - name: Trivy scanning
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
           image-ref: "${{ steps.trivy-image.outputs.image }}"
           format: "table"

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -14,13 +14,17 @@ jobs:
     steps:
       - name: Run Trivy vulnerability scanner (json)
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
           image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
           format: json
           output: '${{ matrix.image }}-trivy-scan-results.json'
 
       - name: Run Trivy vulnerability scanner (table)
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
           image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
           output: '${{ matrix.image }}-trivy-scan-results.txt'
@@ -37,6 +41,8 @@ jobs:
 
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
           format: 'github'
           output: 'dependency-results-${{ matrix.image }}.sbom.json'