From ad955c14e032a8b3cb1adee5088977e9abcccc78 Mon Sep 17 00:00:00 2001
From: Dave Henderson <dhenderson@gmail.com>
Date: Mon, 4 Nov 2024 08:13:56 -0500
Subject: [PATCH] ci(trivy): Avoid broken Trivy action (#867)

Signed-off-by: Dave Henderson <dhenderson@gmail.com>
---
 .github/workflows/trivy.yml | 48 ++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 43bf3bbe..27d29205 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -13,27 +13,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Run Trivy vulnerability scanner (table output)
-      uses: aquasecurity/trivy-action@master
+    - name: Install Trivy
+      uses: aquasecurity/setup-trivy@v0.2.2
       with:
-        scan-type: fs
-        format: table
-        exit-code: 1
-        ignore-unfixed: true
-        vuln-type: os,library
-        severity: CRITICAL,HIGH
+        version: v0.56.2
+        cache: true
+    - name: Download Trivy DB
+      run: |
+        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
+    - name: Run Trivy vulnerability scanner (table output)
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format table \
+          --exit-code 1 \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --severity CRITICAL,HIGH \
+          --skip-db-update \
+          .
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        scan-type: fs
-        # The SARIF format ignores severity and uploads all vulnerabilities for
-        # later triage. The table-format step above is used to fail the build if
-        # there are any critical or high vulnerabilities.
-        # See https://github.com/aquasecurity/trivy-action/issues/95
-        format: sarif
-        output: trivy-results.sarif
-        ignore-unfixed: true
-        vuln-type: os,library
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format sarif \
+          --output trivy-results.sarif \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --ignorefile .trivyignore \
+          --skip-db-update \
+          .
+      if: always() && github.repository == 'hairyhenderson/go-fsimpl'
     - name: Upload Trivy scan results to GitHub Security tab
       if: always() && github.repository == 'hairyhenderson/go-fsimpl'
       uses: github/codeql-action/upload-sarif@v3