Work around ghcr.io rate limiting for Trivy database downloads

See: * aquasecurity/trivy-action#389 * https://github.com/orgs/community/discussions/139074 Signed-off-by: nscuro <nscuro@protonmail.com>
DependencyTrack · Oct 1, 2024 · f316ec9 · f316ec9
1 parent 733c404
commit f316ec9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -136,6 +136,10 @@ jobs:
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # tag=0.24.0
+        env:
+          # https://github.com/aquasecurity/trivy-action/issues/389
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
+          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
         with:
           image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
           format: 'sarif'

diff --git a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java
@@ -93,7 +93,10 @@ public void before() throws Exception {
                 .withExposedPorts(8080)
                 .withCreateContainerCmdModifier(cmd -> cmd.getHostConfig()
                         .withBinds(Bind.parse("%s:/tmp/cache".formatted(trivyCacheVolumeName))))
-                .waitingFor(forLogMessage(".*Listening :8080.*", 1));
+                .waitingFor(forLogMessage(".*Listening :8080.*", 1))
+                // https://github.com/aquasecurity/trivy-action/issues/389
+                .withEnv("TRIVY_DB_REPOSITORY", "public.ecr.aws/aquasecurity/trivy-db:2")
+                .withEnv("TRIVY_JAVA_DB_REPOSITORY", "public.ecr.aws/aquasecurity/trivy-java-db:1");
         trivyContainer.start();
 
         qm.createConfigProperty(