From f5dcc73344babafa7db6dd26dbaecf13c675f69f Mon Sep 17 00:00:00 2001 From: Gauvino Date: Fri, 5 Jun 2026 13:16:13 +0200 Subject: [PATCH] ci(security): scan every push and stabilise the Trivy DB cache key Drop the push paths filter so secret and misconfig scans cover all file types (YAML, JSON, native, scripts), not just JS/TS. Replace the per-run github.run_id cache key with a weekly per-OS key, so the vulnerability DB is reused within the week instead of writing a fresh immutable cache entry on every run. --- .github/workflows/trivy-scan.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 7dad659e9..9eea1fbc1 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -7,14 +7,6 @@ name: 🛡️ Trivy Security Scan on: push: branches: [develop, master] - paths: - - "package.json" - - "bun.lock" - - "**/*.ts" - - "**/*.tsx" - - "**/*.js" - - "**/*.jsx" - - ".github/workflows/trivy-scan.yml" schedule: - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC workflow_dispatch: @@ -37,12 +29,18 @@ jobs: - name: 📥 Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week + # instead of a fresh immutable entry per run, still refreshing the DB every week. + - name: 🗓️ Compute weekly Trivy cache key + id: trivy-cache-key + run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT" + - name: 💾 Cache Trivy vulnerability DB uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cache/trivy - key: trivy-db-${{ github.run_id }} - restore-keys: trivy-db- + key: ${{ steps.trivy-cache-key.outputs.value }} + restore-keys: trivy-db-${{ runner.os }}- - name: 🔎 Run Trivy filesystem scan uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0