Skip to content

Commit 7cf8324

Browse files
paradoxboundParadoxboundclaude
authored
Trivy: use GHCR DB source, add ECR fallback, update codeql-action to v4 (#22)
## Summary Fixes the post-merge pipeline failure from PR #20 where `mirror.gcr.io/aquasec/trivy-db` returned 404, preventing `v2.5.2` from being published. - **Trivy DB primary + fallback**: Sets `TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db` on all four Trivy steps. Trivy tries GHCR first, falls back to AWS ECR Public if unavailable, before failing. - **`codeql-action/upload-sarif` v3 → v4**: Addresses the deprecation warning logged during the failed run (v3 deprecated December 2026). ## Test plan - [ ] Post-merge `scan` job completes successfully with Trivy DB downloaded from GHCR - [ ] SARIF uploaded to Security tab - [ ] `merge` job runs and v2.5.2 tags published correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent a220efa commit 7cf8324

1 file changed

Lines changed: 10 additions & 2 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,8 @@ jobs:
146146

147147
- name: Scan image for vulnerabilities (Trivy)
148148
uses: aquasecurity/trivy-action@0.30.0
149+
env:
150+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
149151
with:
150152
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64
151153
format: sarif
@@ -155,7 +157,7 @@ jobs:
155157
exit-code: '0'
156158

157159
- name: Upload Trivy SARIF to Security tab
158-
uses: github/codeql-action/upload-sarif@v3
160+
uses: github/codeql-action/upload-sarif@v4
159161
if: always()
160162
with:
161163
sarif_file: trivy-release.sarif
@@ -165,6 +167,8 @@ jobs:
165167
# from the SARIF step above (trivy-action exports env vars that persist
166168
# across steps; a second trivy-action invocation cannot fully override them).
167169
- name: Fail release on CRITICAL vulnerabilities
170+
env:
171+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
168172
run: |
169173
trivy image \
170174
--format table \
@@ -489,6 +493,8 @@ jobs:
489493
# CRITICAL findings fail the PR check; HIGH are informational only.
490494
- name: Scan PR image for vulnerabilities (Trivy)
491495
uses: aquasecurity/trivy-action@0.30.0
496+
env:
497+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
492498
with:
493499
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64
494500
format: sarif
@@ -498,7 +504,7 @@ jobs:
498504
exit-code: '0'
499505

500506
- name: Upload Trivy SARIF to Security tab
501-
uses: github/codeql-action/upload-sarif@v3
507+
uses: github/codeql-action/upload-sarif@v4
502508
if: always()
503509
with:
504510
sarif_file: trivy-pr.sarif
@@ -508,6 +514,8 @@ jobs:
508514
# from the SARIF step above (trivy-action exports env vars that persist
509515
# across steps; a second trivy-action invocation cannot fully override them).
510516
- name: Fail PR on CRITICAL vulnerabilities
517+
env:
518+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
511519
run: |
512520
trivy image \
513521
--format table \

0 commit comments

Comments
 (0)