diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml index 6bd08de9859b..22a55db552cc 100644 --- a/.github/workflows/cve-scan.yml +++ b/.github/workflows/cve-scan.yml @@ -51,6 +51,11 @@ jobs: # ------------------------------------------------------------------ cve-scan: runs-on: ubuntu-24.04 + env: + # Trivy scanner image, pinned by digest. Pulled from GHCR (ghcr.io), which serves the + # identical manifest digest as Docker Hub but is more reliable on GitHub-hosted runners. + # Pre-pulled with retry below to absorb transient registry pull timeouts (exit code 125). + TRIVY_IMAGE: ghcr.io/aquasecurity/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c permissions: contents: read security-events: write @@ -142,6 +147,22 @@ jobs: else cp ${{ matrix.scan-path }}/iceberg-${{ matrix.distribution }}-*.jar /tmp/cve-scan/ fi + - name: Pull Trivy image (with retry) + # Pre-pull the scanner image so the action's docker run finds it locally and never hits + # the registry. Retrying with backoff absorbs transient registry pull timeouts (exit 125). + run: | + for attempt in 1 2 3 4 5; do + if docker pull "${TRIVY_IMAGE}"; then + exit 0 + fi + if [ "${attempt}" = "5" ]; then + break + fi + echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt * 10))s..." >&2 + sleep "$((attempt * 10))" + done + echo "Failed to pull ${TRIVY_IMAGE} after 5 attempts" >&2 + exit 1 - name: Run Trivy vulnerability scan uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2 with: @@ -155,6 +176,7 @@ jobs: exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }} format: 'sarif' output: 'trivy-results.sarif' + trivy-image: ${{ env.TRIVY_IMAGE }} - name: Print Trivy scan results if: always() run: |