Merge branch 'master' into skip-trivy-update

.github/workflows/security.yml

@@ -32,7 +32,6 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
-
 
   trivy-scanning:
     runs-on: ubuntu-latest
@@ -48,17 +47,20 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64
           push: false
-          tags: |
-            checkmarx/2ms:scanme
+          tags: checkmarx/2ms:scanme
+
+      - name: Run Trivy Scan
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        with:
+          image-ref: checkmarx/2ms:scanme
+          vuln-type: os,library
+          format: table
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH,MEDIUM,LOW
+          trivy-config: trivy.yaml
+          exit-code: '1'
+
 
-      - name: Install trivy and Run it
-        run: |
-          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
-          sudo apt-get update && sudo apt-get install -y trivy
-          trivy image checkmarx/2ms:scanme --exit-code 1 \
-          --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM,LOW --vex ./ignore.openvex
-  
   secret-scanning:
     runs-on: ubuntu-latest
     steps:

.github/workflows/update-trivy-cron.yml

@@ -0,0 +1,37 @@
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run daily at midnight UTC
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.2.1
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

Dockerfile

@@ -20,7 +20,7 @@ COPY . .
 RUN GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -a -o /app/2ms .
 
 # Runtime image
-FROM cgr.dev/chainguard/git@sha256:0663e8c8a5c6fcad6cc2c08e7668d7b46f7aee025a923cee19f69475e187752a
+FROM cgr.dev/chainguard/git@sha256:91f984bed3cef8b6b9bdefb8e4ae2c9ec2c28564b237c2a0e432549c105ceb16
 
 WORKDIR /app
 

plugins/git.go

@@ -73,6 +73,12 @@ func (p *GitPlugin) scanGit(path string, scanOptions string, itemsChan chan ISou
 	defer close()
 
 	for file := range diffs {
+		if file.PatchHeader == nil {
+			// While parsing the PatchHeader, the token size limit may be exceeded, resulting in a nil value.
+			// This scenario is unlikely, but it causes the scan to never complete.
+			file.PatchHeader = &gitdiff.PatchHeader{}
+		}
+
 		log.Debug().Msgf("file: %s; Commit: %s", file.NewName, file.PatchHeader.Title)
 		if file.IsBinary || file.IsDelete {
 			continue

trivy.yaml

@@ -0,0 +1,3 @@
+vulnerability:
+  vex:
+  - ignore.openvex