From 339bc1eab287ba97e72442c4b580371aab59d1ec Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 7 Oct 2024 18:09:28 +0530
Subject: [PATCH] fix: use aws mirror of trivy db to fix rate limiter issue
 (#11342)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .github/workflows/devcontainer-build.yaml        |  4 ++++
 .github/workflows/images-build.yaml              |  4 ++++
 .github/workflows/images-publish.yaml            |  4 ++++
 .github/workflows/release.yaml                   |  4 ++++
 .github/workflows/report-on-vulnerabilities.yaml | 16 ++++++++++++----
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/devcontainer-build.yaml b/.github/workflows/devcontainer-build.yaml
index 1ab2591bdb..06798f4849 100644
--- a/.github/workflows/devcontainer-build.yaml
+++ b/.github/workflows/devcontainer-build.yaml
@@ -30,3 +30,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
diff --git a/.github/workflows/images-build.yaml b/.github/workflows/images-build.yaml
index f50db509e3..520b658585 100644
--- a/.github/workflows/images-build.yaml
+++ b/.github/workflows/images-build.yaml
@@ -39,3 +39,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml
index 7192daf43b..cd1ed32fee 100644
--- a/.github/workflows/images-publish.yaml
+++ b/.github/workflows/images-publish.yaml
@@ -47,6 +47,10 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
       - name: Install Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Publish kyverno
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 74b4b17cc6..296f9fe1e8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -42,6 +42,10 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
       - name: Install Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Publish kyverno
diff --git a/.github/workflows/report-on-vulnerabilities.yaml b/.github/workflows/report-on-vulnerabilities.yaml
index 45c653872a..734b084718 100644
--- a/.github/workflows/report-on-vulnerabilities.yaml
+++ b/.github/workflows/report-on-vulnerabilities.yaml
@@ -31,14 +31,16 @@ jobs:
     
     - name: Scan for vulnerabilities in latest image
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
-
       with: 
         image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
         format: json
         ignore-unfixed: false
         severity: HIGH,CRITICAL
         output: scan1.json
-
+      env:
+        # Trivy is returning TOOMANYREQUESTS
+        # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+        TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
     - name: Scan for vulnerabilities in latest-1 image
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
       with: 
@@ -47,7 +49,10 @@ jobs:
         ignore-unfixed: false
         severity: HIGH,CRITICAL
         output: scan2.json
-
+      env:
+        # Trivy is returning TOOMANYREQUESTS
+        # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+        TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
     - name: Scan for vulnerabilities in latest-2 image
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
       with: 
@@ -56,7 +61,10 @@ jobs:
         ignore-unfixed: false
         severity: HIGH,CRITICAL
         output: scan3.json
-
+      env:
+        # Trivy is returning TOOMANYREQUESTS
+        # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+        TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
     - name: Merge scan results
       id: merge-results
       run: |