trivy scan setup backup url for downloading db artifacts #957
Conversation
HaoYang0000
requested review from
roypaulin,
cchen-vertica,
fenic-fawkes,
qindotguan and
LiboYu2
as code owners
HaoYang0000
changed the title
|
We can see that the fallback url was caught in one of the test run: https://github.com/vertica/vertica-kubernetes/actions/runs/11343558108/job/31546362845 2024-10-15T09:50:49Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:8dcb18f131bc5d8d17159f7682ebd49b2ea9c784edbb03aa87fe92927ff1d851: TOOMANYREQUESTS: retry-after: 719.785µs, allowed: 44000/minute" |
|
What's the trivy version in the fallback url? |
Those URL are for trivy to download security knowledges to its running process database, I don't think the trivy version is provided in the URL. But for this feature to work(fallback URL), it required to use github action trivy-action >=0.27, which is trivy v0.56.1. |
We have seen trivy scan failure multiple times due to network issues. To make it more robust, maybe add retry to those steps, so we don't have to re-trigger it manually every time.
First option, using https://github.com/Wandalen/wretry.action. This one doesn't apply good enough in docker run, get docker os issue when trying
Second solution, add a retry step after the build: https://stackoverflow.com/questions/71574593/how-to-automatically-retry-github-action-jobs-on-failure.
Third option, wrap the trivy script and then call with run script, that way we can use other github actions like: https://github.com/marketplace/actions/retry-step This requires more efforts and need to download the trivy binary to the repo and run as script.
Fourth option, use backup URL to download if failed, as suggested in: aquasecurity/trivy#7668 (reply in thread)
Let's give the last option a shoot, and see if that makes the run more stable.