From 5c117c2754bff4154077e0de22d0ceef0fe987de Mon Sep 17 00:00:00 2001
From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com>
Date: Wed, 6 Nov 2024 16:34:07 +0100
Subject: [PATCH 1/4] BC-8372 - trivy use cache for DBs

---
 .github/workflows/push.yml  |  8 ++++++++
 .github/workflows/trivy.yml | 39 +++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index d723eb2..1f02374 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -111,6 +111,11 @@ jobs:
       contents: read
       security-events: write
     steps:
+      - name: Restore cached trivy DBs
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
       - name: run trivy vulnerability scanner
         uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
         with:
@@ -119,6 +124,9 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
           ignore-unfixed: true
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: upload trivy results
         if: ${{ always() }}
         uses: github/codeql-action/upload-sarif@v3
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000..9ba6d25
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,39 @@
+# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

From 100b2c674d343e1b91093419c9b39fe28870796b Mon Sep 17 00:00:00 2001
From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com>
Date: Wed, 6 Nov 2024 17:07:16 +0100
Subject: [PATCH 2/4] BC-8372 - fix trivy cache name

---
 .github/workflows/push.yml  | 2 +-
 .github/workflows/trivy.yml | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 1f02374..beae563 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -115,7 +115,7 @@ jobs:
         uses: actions/cache/restore@v4
         with:
           path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy-${{ steps.date.outputs.date }}
+          key: cache-trivy
       - name: run trivy vulnerability scanner
         uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
         with:
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 9ba6d25..214c7fa 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -14,10 +14,6 @@ jobs:
       - name: Setup oras
         uses: oras-project/setup-oras@v1
 
-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
-
       - name: Download and extract the vulnerability DB
         run: |
           mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
@@ -36,4 +32,4 @@ jobs:
         uses: actions/cache/save@v4
         with:
           path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy-${{ steps.date.outputs.date }}
+          key: cache-trivy

From 0e4a5b8780dadac6d909a8b81a31930ce6927167 Mon Sep 17 00:00:00 2001
From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com>
Date: Thu, 7 Nov 2024 09:24:13 +0100
Subject: [PATCH 3/4] BC-8372 - fix cache nameing

---
 .github/workflows/push.yml  | 5 ++++-
 .github/workflows/trivy.yml | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index beae563..291ef5a 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -111,11 +111,14 @@ jobs:
       contents: read
       security-events: write
     steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
       - name: Restore cached trivy DBs
         uses: actions/cache/restore@v4
         with:
           path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
       - name: run trivy vulnerability scanner
         uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
         with:
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 214c7fa..9ba6d25 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -14,6 +14,10 @@ jobs:
       - name: Setup oras
         uses: oras-project/setup-oras@v1
 
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
       - name: Download and extract the vulnerability DB
         run: |
           mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
@@ -32,4 +36,4 @@ jobs:
         uses: actions/cache/save@v4
         with:
           path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

From d405143b3a9a7e0da93ce25e5ac896b73b0e32a5 Mon Sep 17 00:00:00 2001
From: mamutmk5 <3045922+mamutmk5@users.noreply.github.com>
Date: Thu, 7 Nov 2024 13:54:20 +0100
Subject: [PATCH 4/4] BC-8372 - set trivy version to latest

---
 .github/workflows/push.yml | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 291ef5a..694beb2 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -111,22 +111,15 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
-      - name: Restore cached trivy DBs
-        uses: actions/cache/restore@v4
-        with:
-          path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy-${{ steps.date.outputs.date }}
       - name: run trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
           image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
           ignore-unfixed: true
+          scan-type: 'image'
         env:
           TRIVY_SKIP_DB_UPDATE: true
           TRIVY_SKIP_JAVA_DB_UPDATE: true