-
Notifications
You must be signed in to change notification settings - Fork 145
132 lines (109 loc) · 4.31 KB
/
cron.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
name: Trivy DB
on:
schedule:
- cron: '0 */6 * * *'
workflow_dispatch:
env:
REPO_OWNER: ${{ github.repository_owner }} # used in 'make db-build'
GH_USER: aqua-bot
VERSION: 2
jobs:
build:
name: Build DB
runs-on: ubuntu-24.04
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 32768 # vuln-list dirs + language repositories use more than 12GB of storage
remove-android: "true"
remove-docker-images: "true"
remove-dotnet: "true"
remove-haskell: "true"
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install bbolt
run: go install go.etcd.io/bbolt/cmd/[email protected]
- name: Download vuln-list and advisories
run: make db-fetch-langs db-fetch-vuln-list
- name: Build the binary
run: make build
- name: Build database
run: make db-build
- name: Compact DB
run: make db-compact
- name: Compress assets
run: make db-compress
- name: Move DB
run: mv assets/db.tar.gz .
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.GH_USER }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@v3
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Install oras
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v1.2.0/oras_1.2.0_linux_amd64.tar.gz
tar -xvf ./oras_1.2.0_linux_amd64.tar.gz
- name: Upload assets to registries
run: |
lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
echo "Starting artifact upload process..."
# Define an array of registry base URLs and their corresponding repository names
declare -A registries=(
["ghcr.io"]="${lowercase_repo}"
["public.ecr.aws"]="${lowercase_repo}"
["docker.io"]="${lowercase_repo}"
)
# Special case for docker.io if the organization is 'aquasecurity'
if [[ "${lowercase_repo}" == "aquasecurity/"* ]]; then
registries["docker.io"]="aquasec/${lowercase_repo#aquasecurity/}"
echo "Docker Hub repository adjusted for aquasecurity: ${registries["docker.io"]}"
fi
# Loop through each registry and push the artifact
for registry in "${!registries[@]}"; do
repo_name=${registries[$registry]}
full_registry_url="${registry}/${repo_name}"
echo "Processing registry: ${full_registry_url}"
tags=(latest ${{ env.VERSION }})
for tag in "${tags[@]}"; do
echo "Pushing artifact with tag: ${tag}"
if ./oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
"${full_registry_url}:${tag}" \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip; then
echo "Successfully pushed to ${full_registry_url}:${tag}"
else
echo "Failed to push to ${full_registry_url}:${tag}"
exit 1
fi
done
done
echo "Artifact upload process completed."
- name: Microsoft Teams Notification
## Until the PR with the fix for the AdaptivCard version is merged yet
## https://github.com/Skitionek/notify-microsoft-teams/pull/96
## Use the aquasecurity fork
uses: aquasecurity/notify-microsoft-teams@master
if: failure()
with:
webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
needs: ${{ toJson(needs) }}
job: ${{ toJson(job) }}
steps: ${{ toJson(steps) }}