From 20f3905bbff75fa9f6332f981689551a4c9e768f Mon Sep 17 00:00:00 2001
From: Simon Templer <simon@wetransform.to>
Date: Wed, 25 Sep 2024 14:48:52 +0200
Subject: [PATCH 1/2] fix(deps): update trivy action to 0.24.0

---
 action.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/action.yml b/action.yml
index 92b4a8d..4a24829 100644
--- a/action.yml
+++ b/action.yml
@@ -56,7 +56,7 @@ runs:
       uses: jaxxstorm/action-install-gh-release@25d5e2dd555cd74f1fab9ac1e6ea117acde2c0c4 # v1.12.0
       with:
         repo: CycloneDX/cyclonedx-cli
-        tag: v0.25.1 # optional, otherwise use latest
+        tag: v0.27.1 # optional, otherwise use latest
 
         # extension-matching: disable # disable extension matching because artifacts are binaries
 
@@ -94,7 +94,7 @@ runs:
       # Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518
     - name: Create SBOM
       if: "${{ inputs.scan-ref == '' }}"
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
       with:
         image-ref: '${{ inputs.image-ref }}'
         scan-type: "${{ inputs.image-ref != '' && 'image' || 'fs' }}"
@@ -123,7 +123,7 @@ runs:
 
       # https://github.com/aquasecurity/trivy-action
     - name: Scan for critical vulnerabilities (create JUnit report)
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
       if: "${{ inputs.junit-test-output != '' || inputs.create-test-report }}"
       with:
         scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
@@ -136,7 +136,7 @@ runs:
         severity: ${{ inputs.fail-for }}
 
     - name: Create vulnerability report as HTML
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
       with:
         scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
         scan-type: sbom
@@ -158,7 +158,7 @@ runs:
         cp ${GITHUB_ACTION_PATH}/summary.tpl ./trivy-summary.tpl
     - name: Create summary on vulnerabilities
       if: ${{ inputs.create-summary == 'true' }}
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
       with:
         scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
         scan-type: sbom

From 7e651c24d34c2604928aaa200ef95c9850863e3d Mon Sep 17 00:00:00 2001
From: Simon Templer <simon@wetransform.to>
Date: Wed, 25 Sep 2024 15:00:55 +0200
Subject: [PATCH 2/2] feat: cache trivy database

---
 action.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/action.yml b/action.yml
index 4a24829..a1a1b5d 100644
--- a/action.yml
+++ b/action.yml
@@ -90,6 +90,15 @@ runs:
     # Scan for security vulnerabilities
     #
 
+    - name: Restore trivy cache
+      id: cache-trivy-restore
+      uses: actions/cache/restore@v4
+      with:
+        path: .trivy
+        key: ${{ runner.os }}-trivy-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+            ${{ runner.os }}-trivy-
+
       # https://github.com/aquasecurity/trivy-action
       # Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518
     - name: Create SBOM
@@ -101,6 +110,7 @@ runs:
         format: 'cyclonedx' # spdx-json
         template: '@/contrib/junit.tpl'
         output: "${{ env.REPORT_SLUG }}-sbom.json"
+        cache-dir: .trivy
     - name: Use existing SBOM
       if: "${{ inputs.scan-ref != '' }}"
       shell: bash
@@ -134,6 +144,7 @@ runs:
         ignore-unfixed: true
         vuln-type: 'os,library'
         severity: ${{ inputs.fail-for }}
+        cache-dir: .trivy
 
     - name: Create vulnerability report as HTML
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
@@ -143,6 +154,7 @@ runs:
         format: 'template'
         template: '@/contrib/html.tpl'
         output: ${{ env.REPORT_FILENAME }}
+        cache-dir: .trivy
     - name: Upload vulnerability report
       uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       if: always()
@@ -165,6 +177,7 @@ runs:
         format: 'template'
         template: '@trivy-summary.tpl'
         output: 'trivy.md'
+        cache-dir: .trivy
     - name: Add to job summary
       if: ${{ inputs.create-summary == 'true' }}
       shell: bash
@@ -172,6 +185,18 @@ runs:
         echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY
         cat trivy.md >> $GITHUB_STEP_SUMMARY
 
+      # Save trivy cache
+    - name: Fix .trivy permissions
+      shell: bash
+      run: sudo chown -R $(stat . -c %u:%g) .trivy
+    - name: Save trivy cache
+      if: always() # always save
+      id: cache-trivy-save
+      uses: actions/cache/save@v4
+      with:
+        path: .trivy
+        key: ${{ steps.cache-trivy-restore.outputs.cache-primary-key }}
+
     #
     # Report on unit tests and critical vulnerabilities
     #