@@ -78,13 +78,50 @@ jobs:
7878
7979 # --- Security Scan ---
8080 - name : Run Trivy Security Scan
81- uses : aquasecurity/trivy-action@master
82- with :
83- image-ref : ${{ env.IMAGE_NAME }}
84- severity : " CRITICAL"
85- ignore-unfixed : true
86- exit-code : 1
87- format : table
81+ env :
82+ TRIVY_VERSION : " 0.69.3"
83+ TRIVY_DIGEST : " sha256:7228e304ae0f610a1fad937baa463598cadac0c2ac4027cc68f3a8b997115689"
84+ TRIVY_DB_REPOSITORIES : ' "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
85+ TRIVY_JAVA_DB_REPOSITORIES : ' "ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
86+ TRIVY_MAX_RETRIES : " 5"
87+ TRIVY_RETRY_DELAY : " 20"
88+ run : |
89+ set +e
90+
91+ # retry for random failure
92+ for ((i=0; i<${TRIVY_MAX_RETRIES}; i++)); do
93+ echo "Attempt $((i + 1)) of ${TRIVY_MAX_RETRIES}..."
94+
95+ docker run --rm \
96+ -v /var/run/docker.sock:/var/run/docker.sock \
97+ -v "${{ github.workspace }}/.trivycache:/root/.cache" \
98+ aquasec/trivy:${TRIVY_VERSION}@${TRIVY_DIGEST} \
99+ image \
100+ --image-src docker \
101+ --db-repository ${TRIVY_DB_REPOSITORIES} \
102+ --java-db-repository ${TRIVY_JAVA_DB_REPOSITORIES} \
103+ --scanners vuln \
104+ --severity CRITICAL \
105+ --format table \
106+ --timeout 20m \
107+ --exit-code 1 \
108+ "${{ env.IMAGE_NAME }}"
109+ EXIT_CODE=$?
110+
111+ if [[ $EXIT_CODE -eq 0 ]]; then
112+ echo "Trivy scan completed successfully."
113+ exit 0
114+ elif [[ $EXIT_CODE -eq 1 ]]; then
115+ echo "Trivy found vulnerabilities meeting the configured threshold."
116+ exit 1
117+ elif [[ $i -lt $((TRIVY_MAX_RETRIES - 1)) ]]; then
118+ echo "Unexpected Trivy error. Retrying in ${TRIVY_RETRY_DELAY} seconds..."
119+ sleep "${TRIVY_RETRY_DELAY}"
120+ else
121+ echo "Unexpected Trivy error persisted after ${TRIVY_MAX_RETRIES} attempts."
122+ exit 1
123+ fi
124+ done
88125
89126# --- Push Image to ACR ---
90127 - name : Login to ACR
0 commit comments