From 631ee24f77442799c3fdd3b02d26d54128e62bf1 Mon Sep 17 00:00:00 2001 From: Paradoxbound Date: Thu, 26 Feb 2026 20:24:02 +0000 Subject: [PATCH 1/2] Trivy: use GHCR DB source, update codeql-action to v4 The GCR mirror (mirror.gcr.io/aquasec/trivy-db) returns 404 intermittently. Set TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db on all four Trivy steps (two trivy-action SARIF steps, two run: blocking steps) to bypass the mirror. Also updates github/codeql-action/upload-sarif from v3 to v4 ahead of the December 2026 v3 deprecation. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/docker-publish.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f8628cd..8f72d55 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -146,6 +146,8 @@ jobs: - name: Scan image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 format: sarif @@ -155,7 +157,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-release.sarif @@ -165,6 +167,8 @@ jobs: # from the SARIF step above (trivy-action exports env vars that persist # across steps; a second trivy-action invocation cannot fully override them). - name: Fail release on CRITICAL vulnerabilities + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db run: | trivy image \ --format table \ @@ -489,6 +493,8 @@ jobs: # CRITICAL findings fail the PR check; HIGH are informational only. - name: Scan PR image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64 format: sarif @@ -498,7 +504,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-pr.sarif @@ -508,6 +514,8 @@ jobs: # from the SARIF step above (trivy-action exports env vars that persist # across steps; a second trivy-action invocation cannot fully override them). - name: Fail PR on CRITICAL vulnerabilities + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db run: | trivy image \ --format table \ From 5001ddc5772d52630203f1cdcb9bc4cdd10e34ae Mon Sep 17 00:00:00 2001 From: Paradoxbound Date: Thu, 26 Feb 2026 20:27:40 +0000 Subject: [PATCH 2/2] Trivy: add ECR Public as fallback DB repository If ghcr.io/aquasecurity/trivy-db is unavailable, Trivy will fall back to public.ecr.aws/aquasecurity/trivy-db before failing. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/docker-publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 8f72d55..803c2e3 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -147,7 +147,7 @@ jobs: - name: Scan image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 format: sarif @@ -168,7 +168,7 @@ jobs: # across steps; a second trivy-action invocation cannot fully override them). - name: Fail release on CRITICAL vulnerabilities env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db run: | trivy image \ --format table \ @@ -494,7 +494,7 @@ jobs: - name: Scan PR image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64 format: sarif @@ -515,7 +515,7 @@ jobs: # across steps; a second trivy-action invocation cannot fully override them). - name: Fail PR on CRITICAL vulnerabilities env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db run: | trivy image \ --format table \