-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trivy scan setup backup url for downloading db artifacts #957
Conversation
We can see that the fallback url was caught in one of the test run: https://github.com/vertica/vertica-kubernetes/actions/runs/11343558108/job/31546362845 2024-10-15T09:50:49Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:8dcb18f131bc5d8d17159f7682ebd49b2ea9c784edbb03aa87fe92927ff1d851: TOOMANYREQUESTS: retry-after: 719.785µs, allowed: 44000/minute" |
What's the trivy version in the fallback url? |
Those URL are for trivy to download security knowledges to its running process database, I don't think the trivy version is provided in the URL. But for this feature to work(fallback URL), it required to use github action trivy-action >=0.27, which is trivy v0.56.1. |
We have seen trivy scan failure multiple times due to network issues. To make it more robust, maybe add retry to those steps, so we don't have to re-trigger it manually every time.
First option, using https://github.com/Wandalen/wretry.action. This one doesn't apply good enough in docker run, get docker os issue when trying
Second solution, add a retry step after the build: https://stackoverflow.com/questions/71574593/how-to-automatically-retry-github-action-jobs-on-failure.
Third option, wrap the trivy script and then call with run script, that way we can use other github actions like: https://github.com/marketplace/actions/retry-step This requires more efforts and need to download the trivy binary to the repo and run as script.
Fourth option, use backup URL to download if failed, as suggested in: aquasecurity/trivy#7668 (reply in thread)
Let's give the last option a shoot, and see if that makes the run more stable.