diff --git a/.github/workflows/ci-image-scanning-on-schedule.yml b/.github/workflows/ci-image-scanning-on-schedule.yml index 948e8389b..02942d047 100644 --- a/.github/workflows/ci-image-scanning-on-schedule.yml +++ b/.github/workflows/ci-image-scanning-on-schedule.yml @@ -48,6 +48,9 @@ jobs: make image-${{ matrix.target }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 + env: + ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: 'docker.io/karmada/${{ matrix.target }}:${{ matrix.karmada-version }}' format: 'sarif' @@ -56,6 +59,8 @@ jobs: output: '${{ matrix.target }}:${{ matrix.karmada-version }}.trivy-results.sarif' - name: display scan results uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_SKIP_DB_UPDATE: true # Avoid updating the vulnerability db as it was cached in the previous step. with: image-ref: 'docker.io/karmada/${{ matrix.target }}:${{ matrix.karmada-version }}' format: 'table' diff --git a/.github/workflows/ci-image-scanning.yaml b/.github/workflows/ci-image-scanning.yaml index 72c898e50..4e5d3a07b 100644 --- a/.github/workflows/ci-image-scanning.yaml +++ b/.github/workflows/ci-image-scanning.yaml @@ -43,6 +43,9 @@ jobs: make image-${{ matrix.target }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 + env: + ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: 'docker.io/karmada/${{ matrix.target }}:latest' format: 'sarif' @@ -51,6 +54,8 @@ jobs: output: 'trivy-results.sarif' - name: display scan results uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_SKIP_DB_UPDATE: true # Avoid updating the vulnerability db as it was cached in the previous step. with: image-ref: 'docker.io/karmada/${{ matrix.target }}:latest' format: 'table'