From e3afcd7cccc87f41f57f59e02423c67372e72c2f Mon Sep 17 00:00:00 2001
From: Teetje Stark <teetje.stark@gmx.de>
Date: Fri, 1 Nov 2024 10:38:38 +0100
Subject: [PATCH 1/2] ci: Update trivy actions to v0.28.0

---
 .github/actions/trivy-config/action.yaml | 8 ++++----
 .github/actions/trivy-image/action.yaml  | 4 ++--
 .github/workflows/.reusable-sca.yml      | 2 --
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/.github/actions/trivy-config/action.yaml b/.github/actions/trivy-config/action.yaml
index 4e23b58bd..52372a4ce 100644
--- a/.github/actions/trivy-config/action.yaml
+++ b/.github/actions/trivy-config/action.yaml
@@ -17,21 +17,21 @@ runs:
         helm template charts/connaisseur > deployment/deployment.yaml
       shell: bash
     - name: Scan deployment.yaml
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       if: inputs.output == 'table'
       with:
         scan-type: "config"
         scan-ref: "deployment"
         format: 'table'
     - name: Scan Dockerfiles
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       if: inputs.output == 'table'
       with:
         scan-type: "config"
         scan-ref: "build"
         format: 'table'
     - name: Scan deployment.yaml
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       if: inputs.output == 'sarif'
       with:
         scan-type: "config"
@@ -39,7 +39,7 @@ runs:
         format: 'sarif'
         output: 'reports/trivy-k8s-results.sarif'
     - name: Scan Dockerfiles
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       if: inputs.output == 'sarif'
       with:
         scan-type: "config"
diff --git a/.github/actions/trivy-image/action.yaml b/.github/actions/trivy-image/action.yaml
index 4fd2fd729..1f1ffcef1 100644
--- a/.github/actions/trivy-image/action.yaml
+++ b/.github/actions/trivy-image/action.yaml
@@ -33,7 +33,7 @@ runs:
       shell: sh
     - name: Run Trivy on image
       if: inputs.output == 'sarif'
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       with:
         image-ref: ${{ inputs.image }}
         scan-type: "image"
@@ -41,7 +41,7 @@ runs:
         output: 'reports/trivy-vuln-results.sarif'
     - name: Run Trivy on image
       if: inputs.output == 'table'
-      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
       with:
         image-ref: ${{ inputs.image }}
         scan-type: "image"
diff --git a/.github/workflows/.reusable-sca.yml b/.github/workflows/.reusable-sca.yml
index 37e123fab..9303938dc 100644
--- a/.github/workflows/.reusable-sca.yml
+++ b/.github/workflows/.reusable-sca.yml
@@ -37,8 +37,6 @@ jobs:
     permissions:
       packages: read
       security-events: write
-    container:
-      image: docker:stable
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

From d2a32a0aa4b145cbdebb11c4efaedf2ca09a5702 Mon Sep 17 00:00:00 2001
From: Teetje Stark <teetje.stark@gmx.de>
Date: Fri, 1 Nov 2024 11:26:40 +0100
Subject: [PATCH 2/2] ci: Set fallback AWS repository for ratelimited trivy DBs

---
 .github/actions/trivy-image/action.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/actions/trivy-image/action.yaml b/.github/actions/trivy-image/action.yaml
index 1f1ffcef1..fdafdec6f 100644
--- a/.github/actions/trivy-image/action.yaml
+++ b/.github/actions/trivy-image/action.yaml
@@ -39,6 +39,9 @@ runs:
         scan-type: "image"
         format: 'sarif'
         output: 'reports/trivy-vuln-results.sarif'
+      env:
+        TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
+        TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
     - name: Run Trivy on image
       if: inputs.output == 'table'
       uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
@@ -47,6 +50,9 @@ runs:
         scan-type: "image"
         exit-code: 1
         format: 'table'
+      env:
+        TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
+        TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
     - name: Upload
       if: inputs.output == 'sarif'
       uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5