Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the upstream Trivy action to scan licenses #4012

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Use the upstream Trivy action to scan licenses #4012

merged 2 commits into from
Oct 9, 2024

Conversation

cbandy
Copy link
Member

@cbandy cbandy commented Oct 9, 2024

The upstream action no longer runs in a container, so it can access the job environment and Go modules. The license job no longer needs any ghcr.io package, so it is no longer affected by the recent rate limiting issues.

Checklist:

  • Have you added an explanation of what your changes do and why you'd like them to be included?
  • Have you updated or added documentation for the change, as applicable?
  • Have you tested your changes on all related environments with successful results, as applicable?
    • Have you added automated tests?

Type of Changes:

  • Testing enhancement

@cbandy
Use the upstream Trivy action to scan licenses
b7df80b 
The upstream action no longer runs in a container, so it can access the
job environment and Go modules.
@cbandy cbandy requested a review from benjaminjb October 9, 2024 14:34
benjaminjb
benjaminjb approved these changes Oct 9, 2024
View reviewed changes
Copy link
Contributor

@benjaminjb benjaminjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. (Though ❓ : you prefer pinning to master rather than the 0.26.0 tag?)

What do you think about their current suggestion re: caching the vuln db in a default branch daily and using that cached db in other branches?

@cbandy
Copy link
Member Author

cbandy commented Oct 9, 2024

LGTM. (Though ❓ : you prefer pinning to master rather than the 0.26.0 tag?)

👍🏻 I'll bump these actions to the tag. Dependabot should keep us informed/updated now.

What do you think about their current suggestion re: caching the vuln db in a default branch daily and using that cached db in other branches?

I'm going to stop worrying about this in GitHub. They know the problem now, so I'm OK waiting for them to make the necessary changes to their action.

@cbandy
Pin Trivy action to its latest tagged release, 0.26.0
0b93eff 
We prefer stability in these checks. Dependabot will inform us when
there are newer releases.

See: https://github.com/aquasecurity/trivy-action/releases
@cbandy cbandy merged commit d06525d into CrunchyData:master Oct 9, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaminjb benjaminjb benjaminjb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbandy @benjaminjb