From 7886e656aed30c7409d0c5ae3f5ad66ab7229b03 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 22 Aug 2024 00:10:50 -0500 Subject: [PATCH 1/9] save grype db cache on updates to avoid using stale cache db (#147) --- security-actions/sca/action.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 4fa1d316..4cfe9877 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -121,11 +121,11 @@ runs: - name: Download Grype uses: anchore/scan-action/download-grype@v4.1.1 - # Check for any existing cache to reuse / update - - name: Cache Grype DB - id: cache_grype_db + # Check for any existing cache to reuse + - name: Restore Grype DB Cache + id: restore_grype_db if: ${{ inputs.force_grype_db_update != 'true' }} - uses: actions/cache@v4 + uses: actions/cache/restore@v4 env: cache-name: cache_grype_db with: @@ -139,7 +139,6 @@ runs: ## Edgecase: Grype DB will never update if stale cache is found - name: Grype DB Check Updates - #if: ${{ steps.cache_grype_db.outputs.cache-hit != 'true' }} id: grype_db_check_updates shell: bash run: | @@ -178,10 +177,10 @@ runs: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }} - - name: Cache Grype DB updates + - name: Update Cache / Save Grype DB updates if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} - id: cache_grype_db_updates - uses: actions/cache@v4 + id: save_grype_db_cache_updates + uses: actions/cache/save@v4 env: cache-name: cache_grype_db # Use generic cache key instead of unique keys for different refs since CVE DB doesn't change frequently with: From 7ef70a777a8cabf8c61eebed535ce88396629d88 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 22 Aug 2024 00:30:49 -0500 Subject: [PATCH 2/9] fix grype cache save and avoid marking cache as readonly --- .github/workflows/dir-scan.yml | 1 - security-actions/sca/action.yml | 6 +++--- security-actions/scan-docker-image/action.yml | 12 ++++++------ 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dir-scan.yml b/.github/workflows/dir-scan.yml index f3745bf6..1ed8bf55 100644 --- a/.github/workflows/dir-scan.yml +++ b/.github/workflows/dir-scan.yml @@ -35,5 +35,4 @@ jobs: asset_prefix: test.insomnia dir: ${{env.TEST_REPOSITORY}} upload-sbom-release-assets: true - force_grype_db_update: true ## Explicitly skip cache fail_build: false diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 4cfe9877..6be40a2b 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -122,10 +122,10 @@ runs: uses: anchore/scan-action/download-grype@v4.1.1 # Check for any existing cache to reuse - - name: Restore Grype DB Cache - id: restore_grype_db + - name: Grype DB Cache + id: grype_db if: ${{ inputs.force_grype_db_update != 'true' }} - uses: actions/cache/restore@v4 + uses: actions/cache@v4 env: cache-name: cache_grype_db with: diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 6de718ad..1aae493f 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -125,10 +125,10 @@ runs: - name: Download Grype uses: anchore/scan-action/download-grype@v4.1.1 - # Check for any existing cache to reuse / update - - name: Cache Grype DB + # Check for any existing cache to reuse + - name: Grype DB Cache + id: grype_db if: ${{ inputs.force_grype_db_update != 'true' }} - id: cache_grype_db uses: actions/cache@v4 env: cache-name: cache_grype_db @@ -182,10 +182,10 @@ runs: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }} - - name: Cache Grype DB updates + - name: Update Cache / Save Grype DB updates if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} - id: cache_grype_db_updates - uses: actions/cache@v4 + id: save_grype_db_cache_updates + uses: actions/cache/save@v4 env: cache-name: cache_grype_db # Use generic cache key instead of unique keys for different refs since CVE DB doesn't change frequently with: From 9570979bff2495b98ef351f1405c69ad05b9cb27 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 22 Aug 2024 01:14:45 -0500 Subject: [PATCH 3/9] use temporary cache key and restore keys for grype cache --- security-actions/sca/action.yml | 13 +++++++------ security-actions/scan-docker-image/action.yml | 15 ++++++++------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 6be40a2b..abc2df8e 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -126,12 +126,14 @@ runs: id: grype_db if: ${{ inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 - env: - cache-name: cache_grype_db with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS path: ~/.cache/grype/db - key: ${{ env.cache-name }} + key: | + cache_grype_${{ github.run_id }}_${{ github.run_attempt }} + restore-keys: | + cache_grype_${{ github.run_id }}_ + cache_grype_db # Make a network call to anchore grype CDN. # This could fail when CDN is flaky for long periods of time. @@ -181,12 +183,11 @@ runs: if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 - env: - cache-name: cache_grype_db # Use generic cache key instead of unique keys for different refs since CVE DB doesn't change frequently with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS path: ~/.cache/grype/db - key: ${{ env.cache-name }} + key: | + cache_grype_${{ github.run_id }}_${{ github.run_attempt }} # Don't fail during report generation - name: Vulnerability analysis of SBOM diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 1aae493f..c57ef94f 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -130,12 +130,14 @@ runs: id: grype_db if: ${{ inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 - env: - cache-name: cache_grype_db with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS path: ~/.cache/grype/db - key: ${{ env.cache-name }} + key: | + cache_grype_${{ github.run_id }}_${{ github.run_attempt }} + restore-keys: | + cache_grype_${{ github.run_id }}_ + cache_grype_db # Make a network call to anchore grype CDN. # This could fail when CDN is flaky for long periods of time. @@ -186,13 +188,12 @@ runs: if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 - env: - cache-name: cache_grype_db # Use generic cache key instead of unique keys for different refs since CVE DB doesn't change frequently with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS path: ~/.cache/grype/db - key: ${{ env.cache-name }} - + key: | + cache_grype_${{ github.run_id }}_${{ github.run_attempt }} + # Grype is invoked first time ever # Don't fail during report generation - name: Vulnerability analysis of SBOM From 20348b77cebe99aa4c7037be20589e93e5bf8e74 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 22 Aug 2024 01:37:08 -0500 Subject: [PATCH 4/9] Avoid same cache key overwrite issues when saving cache on multiple invocations Dont save grype db cache when already cache is up-to-date --- .github/workflows/docker-image-scan.yml | 1 - security-actions/sca/action.yml | 11 +++++++---- security-actions/scan-docker-image/action.yml | 13 ++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml index 44529a50..d6f57130 100644 --- a/.github/workflows/docker-image-scan.yml +++ b/.github/workflows/docker-image-scan.yml @@ -72,7 +72,6 @@ jobs: asset_prefix: test.kong-gateway-dev-linux-arm64 image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} upload-sbom-release-assets: true - force_grype_db_update: true ## Explicitly skip db cache when available test-download-sbom: if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index abc2df8e..28dbad9a 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -123,7 +123,7 @@ runs: # Check for any existing cache to reuse - name: Grype DB Cache - id: grype_db + id: grype_db_cache if: ${{ inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 with: @@ -141,7 +141,7 @@ runs: ## Edgecase: Grype DB will never update if stale cache is found - name: Grype DB Check Updates - id: grype_db_check_updates + id: grype_db shell: bash run: | db_check_status=0 @@ -165,13 +165,13 @@ runs: exit ${FAIL_BUILD} elif [[ $FAIL_BUILD -eq 0 ]]; then echo "::warning ::${GRYPE_DB_UPDATE_MSG}" - echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT fi else echo "::notice :: Grype DB is updated succesfully" fi echo "::endgroup::" + echo "GRYPE_DB_CHECK_UPDATE_STATUS=${db_check_status}" >> $GITHUB_OUTPUT echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT env: FAIL_BUILD: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }} @@ -179,8 +179,11 @@ runs: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }} + # Save cache when db update is available (i.e drift) and update is successful + # Condition helps When this action is invoked more than once in the same workflow + # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails - name: Update Cache / Save Grype DB updates - if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} + if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 with: diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index c57ef94f..0be9cb73 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -127,7 +127,7 @@ runs: # Check for any existing cache to reuse - name: Grype DB Cache - id: grype_db + id: grype_db_cache if: ${{ inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 with: @@ -146,7 +146,7 @@ runs: ## Edgecase: Grype DB will never update if stale cache is found - name: Grype DB Check Updates #if: ${{ steps.cache_grype_db.outputs.cache-hit != 'true' }} - id: grype_db_check_updates + id: grype_db shell: bash run: | db_check_status=0 @@ -170,13 +170,13 @@ runs: exit ${FAIL_BUILD} elif [[ $FAIL_BUILD -eq 0 ]]; then echo "::warning ::${GRYPE_DB_UPDATE_MSG}" - echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT fi else echo "::notice :: Grype DB is updated succesfully" fi echo "::endgroup::" - + + echo "GRYPE_DB_CHECK_UPDATE_STATUS=${db_check_status}" >> $GITHUB_OUTPUT echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT env: FAIL_BUILD: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }} @@ -184,8 +184,11 @@ runs: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }} + # Save cache when db update is available (i.e drift) and update is successful + # Condition helps When this action is invoked more than once in the same workflow + # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails - name: Update Cache / Save Grype DB updates - if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} + if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 with: From 5c685ec0bc8d18f9faa540cb66837c326176c541 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 22 Aug 2024 01:47:11 -0500 Subject: [PATCH 5/9] fix grype db logging condition --- security-actions/sca/action.yml | 24 ++++++++--------- security-actions/scan-docker-image/action.yml | 27 +++++++++---------- 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 28dbad9a..bbfcc26b 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -149,25 +149,25 @@ runs: echo "::group::Grype DB Status Check" grype db check -vv || db_check_status=$? if [[ "${db_check_status}" -eq 0 ]]; then - echo "::notice :: Grype DB is already up-to-date" + echo "::notice ::Grype DB is already up-to-date" fi echo "::endgroup::" - echo "::group:: Update Grype DB" + echo "::group::Update Grype DB" if [[ "${db_check_status}" -ne 0 ]] || [[ ${FORCE_GRYPE_DB_UPDATE} == "true" ]]; then grype db update -vv || db_update_status=$? - fi - if [[ "${db_update_status}" -ne 0 ]]; then - GRYPE_DB_UPDATE_MSG="Grype DB updates was not successful. SCA / CVE Grype results might be skipped / unavailable due to DB issues" - if [[ ${FAIL_BUILD} -eq 1 ]]; then - echo "::error ::${GRYPE_DB_UPDATE_MSG}" - exit ${FAIL_BUILD} - elif [[ $FAIL_BUILD -eq 0 ]]; then - echo "::warning ::${GRYPE_DB_UPDATE_MSG}" + if [[ "${db_update_status}" -ne 0 ]]; then + GRYPE_DB_UPDATE_MSG="Grype DB updates was not successful. SCA / CVE Grype results might be skipped / unavailable due to DB issues" + if [[ ${FAIL_BUILD} -eq 1 ]]; then + echo "::error ::${GRYPE_DB_UPDATE_MSG}" + exit ${FAIL_BUILD} + elif [[ $FAIL_BUILD -eq 0 ]]; then + echo "::warning ::${GRYPE_DB_UPDATE_MSG}" + fi + else + echo "::notice ::Grype DB is updated succesfully" fi - else - echo "::notice :: Grype DB is updated succesfully" fi echo "::endgroup::" diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 0be9cb73..eb52ebc2 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -154,25 +154,24 @@ runs: echo "::group::Grype DB Status Check" grype db check -vv || db_check_status=$? if [[ "${db_check_status}" -eq 0 ]]; then - echo "::notice :: Grype DB is already up-to-date" + echo "::notice ::Grype DB is already up-to-date" fi echo "::endgroup::" - echo "::group:: Update Grype DB" + echo "::group::Update Grype DB" if [[ "${db_check_status}" -ne 0 ]] || [[ ${FORCE_GRYPE_DB_UPDATE} == "true" ]]; then - grype db update -vv || db_update_status=$? - fi - - if [[ "${db_update_status}" -ne 0 ]]; then - GRYPE_DB_UPDATE_MSG="Grype DB updates was not successful. SCA / CVE Grype results might be skipped / unavailable due to DB issues" - if [[ ${FAIL_BUILD} -eq 1 ]]; then - echo "::error ::${GRYPE_DB_UPDATE_MSG}" - exit ${FAIL_BUILD} - elif [[ $FAIL_BUILD -eq 0 ]]; then - echo "::warning ::${GRYPE_DB_UPDATE_MSG}" + grype db update -vv || db_update_status=$? + if [[ "${db_update_status}" -ne 0 ]]; then + GRYPE_DB_UPDATE_MSG="Grype DB updates was not successful. SCA / CVE Grype results might be skipped / unavailable due to DB issues" + if [[ ${FAIL_BUILD} -eq 1 ]]; then + echo "::error ::${GRYPE_DB_UPDATE_MSG}" + exit ${FAIL_BUILD} + elif [[ $FAIL_BUILD -eq 0 ]]; then + echo "::warning ::${GRYPE_DB_UPDATE_MSG}" + fi + else + echo "::notice ::Grype DB is updated succesfully" fi - else - echo "::notice :: Grype DB is updated succesfully" fi echo "::endgroup::" From f19e9a7b75f547a5908e658627650a2175340dca Mon Sep 17 00:00:00 2001 From: Pankaj Date: Thu, 22 Aug 2024 20:33:52 +0530 Subject: [PATCH 6/9] fix: omitted severity flags in docker image scan action (#142) * fix: omitted severity flags in docker image scan action - Update to Step "Generate docker-cis JSON report", removed as it was causing warnings "unknown severity option: unknown severity: FALSE" - Update to Step "Inspect docker-cis report", removed severity env as it was causing warnings "unknown severity option: unknown severity: FALSE" - This severity flag is not being used at this point. Trivy uses this flag to restrict the scan to specific severity levels - Because of no explicit severity flag, shared action uses value of global_enforce_build_failure env defined in our scripts * Remove severity env --- security-actions/scan-docker-image/action.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index eb52ebc2..787435f5 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -290,10 +290,9 @@ runs: id: cis_json with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --severity ${{ env.severity }} --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}" env: compliance: docker-cis - severity: ${{ steps.meta.outputs.global_enforce_build_failure }} input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }} - name: upload docker-cis JSON report @@ -310,9 +309,8 @@ runs: uses: docker://ghcr.io/aquasecurity/trivy:0.37.2 with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --severity ${{ env.severity }} --ignore-unfixed --exit-code ${{ env.exit-code }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }}" env: exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }} compliance: docker-cis - severity: ${{ steps.meta.outputs.global_enforce_build_failure }} input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }} From a1f9449f51053b1ef86fd1e35d9b6d588c7c3a7d Mon Sep 17 00:00:00 2001 From: Pankaj Date: Tue, 27 Aug 2024 12:21:15 +0530 Subject: [PATCH 7/9] SEC-1176 - Option to skip Grype DB caching and tradeoff to use Grype CDN (#148) * SEC-1176 - Skip Grype DB Caching * SEC-1176 - update PR for final review --- security-actions/sca/action.yml | 15 ++++++++++++--- security-actions/scan-docker-image/action.yml | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index bbfcc26b..85099e21 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -45,6 +45,14 @@ inputs: options: - 'true' - 'false' + skip_grype_db_cache: + required: false + default: false + description: 'Skip the caching of the Grype DB during the SBOM (Software Bill of Materials) scanning process' + type: choice + options: + - 'true' + - 'false' # Outputs to be consumed by others using this SCA action outputs: @@ -120,11 +128,12 @@ runs: - name: Download Grype uses: anchore/scan-action/download-grype@v4.1.1 - + + # Skip Cache Restoration: If skip_grype_db_cache is true, skip the restoration of the cache. # Check for any existing cache to reuse - name: Grype DB Cache id: grype_db_cache - if: ${{ inputs.force_grype_db_update != 'true' }} + if: ${{ inputs.skip_grype_db_cache != 'true' && inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS @@ -183,7 +192,7 @@ runs: # Condition helps When this action is invoked more than once in the same workflow # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails - name: Update Cache / Save Grype DB updates - if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} + if: ${{ inputs.skip_grype_db_cache != 'true' && steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 with: diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 787435f5..befae080 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -51,6 +51,14 @@ inputs: options: - 'true' - 'false' + skip_grype_db_cache: + required: false + default: false + description: 'Skip grype db caching' + type: choice + options: + - 'true' + - 'false' outputs: cis-json-report: @@ -125,10 +133,11 @@ runs: - name: Download Grype uses: anchore/scan-action/download-grype@v4.1.1 + # Skip Cache Restoration: If skip_grype_db_cache is true, skip the restoration of the cache. # Check for any existing cache to reuse - name: Grype DB Cache id: grype_db_cache - if: ${{ inputs.force_grype_db_update != 'true' }} + if: ${{ inputs.skip_grype_db_cache != 'true' && inputs.force_grype_db_update != 'true' }} uses: actions/cache@v4 with: # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS @@ -186,8 +195,9 @@ runs: # Save cache when db update is available (i.e drift) and update is successful # Condition helps When this action is invoked more than once in the same workflow # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails + # Skip Cache Saving: If skip_grype_db_cache is true, skip saving the cache updates. - name: Update Cache / Save Grype DB updates - if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} + if: ${{ inputs.skip_grype_db_cache != 'true' && steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }} id: save_grype_db_cache_updates uses: actions/cache/save@v4 with: From d4d6b2a7e202398f62eb37c554df9732b27d9d84 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Tue, 3 Sep 2024 14:03:04 -0500 Subject: [PATCH 8/9] Defaulting to use grype cdn and skip cache by default (#152) * Defaulting to use grype cdn and skip cache by default only use cache during cdn failures and set explicitly * remove unwanted typo --- security-actions/sca/action.yml | 2 +- security-actions/scan-docker-image/action.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 85099e21..e4a809c6 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -47,7 +47,7 @@ inputs: - 'false' skip_grype_db_cache: required: false - default: false + default: true description: 'Skip the caching of the Grype DB during the SBOM (Software Bill of Materials) scanning process' type: choice options: diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index befae080..fc37ef7f 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -53,7 +53,7 @@ inputs: - 'false' skip_grype_db_cache: required: false - default: false + default: true description: 'Skip grype db caching' type: choice options: @@ -219,7 +219,7 @@ runs: add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} env: - GRYPE_DB_AUTO_UPDATE: false + GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above # Don't fail during report generation # JSON format will report any ignored rules @@ -234,7 +234,7 @@ runs: add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} env: - GRYPE_DB_AUTO_UPDATE: false # Use grype db cache from grype step above + GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above - name: Check vulnerability analysis report existence if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner @@ -285,7 +285,7 @@ runs: add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} env: - GRYPE_DB_AUTO_UPDATE: false # Use grype db cache from grype step above + GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above - name: Check docker OCI tar existence if: ${{ steps.meta.outputs.scan_image != '' }} From f383903fadc4ff03ee9fcc071d083c603c8502fe Mon Sep 17 00:00:00 2001 From: Masaki Muranaka Date: Sat, 7 Sep 2024 02:53:47 +0900 Subject: [PATCH 9/9] Add `inputs.print_results` to lua-lint action. (#149) This will enable to use the problem matcher on GitHub. Signed-off-by: Masaki Muranaka --- code-check-actions/lua-lint/action.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/code-check-actions/lua-lint/action.yml b/code-check-actions/lua-lint/action.yml index 60e2ff5c..425cc957 100644 --- a/code-check-actions/lua-lint/action.yml +++ b/code-check-actions/lua-lint/action.yml @@ -14,6 +14,10 @@ inputs: description: 'Action itself will fail if linting fails' required: false default: false + print_results: + description: 'Print Luacheck results' + required: false + default: 'false' runs: using: composite @@ -34,10 +38,11 @@ runs: luacheck_${{github.sha}}.xml if-no-files-found: warn -# - name: Print Luacheck results -# shell: bash -# run: | -# cat luacheck_${{github.sha}}.xml + - name: Print Luacheck results + shell: bash + run: | + cat luacheck_${{github.sha}}.xml + if: inputs.print_results != 'false' # when using the regular GITHUB_TOKEN, the check-run created by this step will be assigned to a # random workflow in the GH UI. to prevent this, we can force the check-run to be created in a separate