From 77d496abff6687a681e0a61b06da02fbdf647f6b Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Sep 2024 16:30:17 +0300
Subject: [PATCH] ci: cache Trivy database

---
 .github/actions/build-docker-image/action.yml | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
index bbb81fac..964bd340 100644
--- a/.github/actions/build-docker-image/action.yml
+++ b/.github/actions/build-docker-image/action.yml
@@ -64,7 +64,6 @@ runs:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
-      if: ${{ inputs.push }}
 
     - name: Build and push container image
       uses: docker/build-push-action@v6
@@ -131,12 +130,25 @@ runs:
       run: |
         echo "filename=trivy-$(basename "${{ inputs.primaryTag }}" | tr '\\/:' '-').sarif" >> "${GITHUB_OUTPUT}"
 
-    - name: Security Scan
-      uses: docker://aquasec/trivy:0.55.2
+    - name: Create cache directory
+      shell: bash
+      run: mkdir -p .cache
+
+    - name: Cache Trivy database
+      uses: actions/cache@v4.0.2
       with:
-        args: image --format json --ignore-unfixed --vuln-type os ${{ inputs.primaryTag }} --output trivy.json
-      env:
-        ACTIONS_RUNTIME_TOKEN: ${{ inputs.auth_token }}
+        path: .cache/trivy/db
+        key: ${{ runner.os }}-trivy
+
+    - name: Security Scan
+      shell: bash
+      run: |
+        docker run -it --rm \
+          -v /var/run/docker.sock:/var/run/docker.sock \
+          -v $(pwd)/.cache:/root/.cache \
+          -v $(pwd):/workdir \
+          -w /workdir \
+          aquasec/trivy:0.55.2 image --format json --ignore-unfixed --pkg-types os --registry-token=${{ inputs.auth_token }} ${{ inputs.primaryTag }} --output trivy.json
 
     - name: Print report
       uses: docker://aquasec/trivy:0.55.2