From 7682e01e956ea3955cc7a7a66b64c9b439b8cf48 Mon Sep 17 00:00:00 2001
From: Kai Siren <kaisiren@navapbc.com>
Date: Wed, 13 Nov 2024 11:08:35 -0800
Subject: [PATCH] cache trivy take 1

---
 .github/workflows/vulnerability-scans.yml | 41 +++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
index 01014f2bc..9108be13c 100644
--- a/.github/workflows/vulnerability-scans.yml
+++ b/.github/workflows/vulnerability-scans.yml
@@ -94,6 +94,44 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Restore cached trivy vulnerability and Java DBs
+        id: cache-trivy
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
+
+      - name: Setup oras
+        if: steps.cache-trivy.outputs.cache-hit != 'true'
+        uses: oras-project/setup-oras@v1
+
+      - name: Download and extract the vulnerability DB
+        if: steps.cache-trivy.outputs.cache-hit != 'true'
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        if: steps.cache-trivy.outputs.cache-hit != 'true'
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        if: steps.cache-trivy.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
+
       - name: Restore cached Docker image
         uses: actions/cache/restore@v4
         with:
@@ -116,6 +154,9 @@ jobs:
           ignore-unfixed: true
           vuln-type: os
           scanners: vuln,secret
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure