skip cis db access and run in offline mode

.github/workflows/docker-image-scan.yml

@@ -63,7 +63,8 @@ jobs:
       with:
         asset_prefix: kong-gateway-dev-linux-amd64
         image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
-        skip_trivy_scan: true
+        skip_cis_scan: false
+        offline_cis_scan: true
 
     - name: Scan ARM64 Image digest
       if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
@@ -73,7 +74,7 @@ jobs:
         asset_prefix: test.kong-gateway-dev-linux-arm64
         image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
         upload-sbom-release-assets: true
-        skip_trivy_scan: false
+        skip_cis_scan: false
 
   test-download-sbom:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}

security-actions/scan-docker-image/action.yml

@@ -59,14 +59,22 @@ inputs:
     options:
       - 'true'
       - 'false'
-  skip_trivy_scan:
+  skip_cis_scan:
     required: false
     default: false
     description: 'Toggle to skip Trivy scan'
     type: choice
     options:
       - 'true'
       - 'false'
+  offline_cis_scan:
+    required: false
+    default: false
+    description: 'Skip db updates for docker cis scan and use offline mode. When set, results can be partial'
+    type: choice
+    options:
+      - 'true'
+      - 'false'
 
 outputs:
   cis-json-report:
@@ -304,17 +312,18 @@ runs:
 
     - name: Generate docker-cis JSON report
       uses: docker://aquasec/trivy:0.55.2
-      if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }}
+      if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
       id: cis_json
       with:
         entrypoint: trivy
-        args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}"
+        args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }} ${{ env.offline_cis_scan }}"
       env:
         compliance: docker-cis-1.6.0
         input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}
+        offline_cis_scan: ${{ inputs.offline_cis_scan == 'true' && '--skip-db-update --skip-java-db-update --offline-scan --skip-check-update' || '' }}
 
     - name: upload docker-cis JSON report
-      if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }}
+      if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
       uses: actions/upload-artifact@v4
       with:
         name: ${{ steps.meta.outputs.cis_json_file }}
@@ -323,12 +332,13 @@ runs:
         if-no-files-found: warn
 
     - name: Inspect docker-cis report
-      if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }}
+      if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
       uses: docker://aquasec/trivy:0.55.2
       with:
         entrypoint: trivy
-        args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }}"
+        args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }} ${{ env.offline_cis_scan }}"
       env:
         exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }}
         compliance: docker-cis-1.6.0
         input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}
+        offline_cis_scan: ${{ inputs.offline_cis_scan == 'true' && '--skip-db-update --skip-java-db-update --offline-scan --skip-check-update' || '' }}