From 1c9862b9b72af7b727ab38ddf470a1ea3ae17708 Mon Sep 17 00:00:00 2001
From: Michael Beemer <beeme1mr@users.noreply.github.com>
Date: Wed, 30 Oct 2024 10:36:54 -0400
Subject: [PATCH] ci(trivy): fetch vulnerabilities DB from ERC

Signed-off-by: Michael Beemer <beeme1mr@users.noreply.github.com>
---
 .github/workflows/build.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index de46a87f9..c5cb52229 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -95,12 +95,15 @@ jobs:
           tags: flagd-local:test
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           input: ${{ github.workspace }}/flagd-local.tar
           format: "sarif"
           output: "trivy-results.sarif"
           severity: "CRITICAL,HIGH"
+        env:
+          # use an alternative trivvy db to avoid rate limits
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3