Publish tag containing the build date to locate old DB #251
Conversation
Signed-off-by: Josh Dolitsky <[email protected]>
|
|
|
Update: see my next comment :) The maintainer @knqyf263 is away for the next couple of weeks, but I might add a comment in the meantime: while this is a valid quick fix for the specific use case you describe, I'm trying to forward into using this information in the trivy cli and other use cases. In this case I think it will not suffice to just tag the image at push time, we will need to
I think it would be best to add the timestamp to the db
|
|
Actually, |
Signed-off-by: Josh Dolitsky <[email protected]>
|
@itaysk alright, we have implemented this in this PR! Please take a look when you have a moment |
|
Hi there, just checking in to see if anything I can do to help get this merged |
There was a problem hiding this comment.
We're so sorry to make another suggestion again, but can't we load metadata.json rather than adding a new subcommand? It is simpler if it works.
You can read the file between make db-compact and make db-compress steps.
trivy-db/.github/workflows/cron.yml
Lines 36 to 40 in be9ad3a
I'd suggest as below.
- name: Compact DB
run: make db-compact
- name: Get the UpdatedAt timestamp
id: timestamp
run: |
echo "timestamp=$(jq .UpdatedAt assets/metadata.json | date "+%F-%H-%M-%S")" >> $GITHUB_OUTPUT
- name: Compress assets
run: make db-compress
There does not currently appear to be any way to run Trivy using an older version of the DB.
Example use case: check how many vulnerabilities would have been detected by Trivy in a given image 30 days ago.
There is additional work to do in the CLI to change the tag to something other that "2" (for example
--db-tag=2022091512). However, until these tags start to be published, there is no reliable way to obtain this data other than by scrubbing through the GitHub Actions logs, locating the digest published by oras, and following the air-gap instructions.