CI: cache Trivy vulnerability database for repo and filesystem scans

[SuyashJain17]

Proposed change

Resolves #3268

This PR enables caching of the Trivy vulnerability database for the scan-code and scan-ci-dependencies jobs.

It adds the aquasecurity/setup-trivy step with caching enabled and updates the Trivy scan steps to reuse the cached database, following the same pattern already used in the scan-production-images job.

There is no change to scan behavior, configuration, or results.
The change only avoids re-downloading the Trivy DB on every workflow run, improving CI performance and consistency.

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Optimized the security scanning workflow to initialize the scanner once and skip redundant setup during the same CI run, reducing pipeline overhead and speeding up scans; removed redundant setup entries for cleaner CI configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds explicit "Setup Trivy" steps with caching to CI jobs and sets skip-setup-trivy: true on subsequent Trivy actions to avoid reinitialization; removes version: latest and a hardcoded Trivy version in affected workflow steps.

Changes

Cohort / File(s)	Summary
CI workflow (Trivy setup & scans) .github/workflows/run-ci-cd.yaml	Inserts Setup Trivy steps (with cache: true) before scan-code, scan-ci-dependencies, and image scanning jobs; removes version: latest from Trivy actions and adds skip-setup-trivy: true to the subsequent Trivy scan steps; removes one explicit Trivy version in production/staging and in run-backend-tests setup.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Added trivy.yaml #1289: Adjusts Trivy scan configuration in the same workflow, including scan options and Trivy setup patterns.
• Added Trivy scan in CI/CD pipeline #1208: Centralizes Trivy setup and avoids reinitialization in .github/workflows/run-ci-cd.yaml.
• Added code and dependency scan for Trivy workflow #1215: Introduces/updates scan-code and scan-ci-dependencies jobs that this change now initializes with setup-trivy.

Suggested reviewers

• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: enabling Trivy vulnerability database caching for repo and filesystem scans.
Description check	✅ Passed	The description is well-related to the changeset, explaining the motivation, implementation approach, and benefits of caching the Trivy database.
Linked Issues check	✅ Passed	The PR successfully implements the requirement from issue #3268 by adding aquasecurity/setup-trivy with caching enabled to scan-code and scan-ci-dependencies jobs.
Out of Scope Changes check	✅ Passed	All changes are directly related to the objective of enabling Trivy database caching; no out-of-scope modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/run-ci-cd.yaml (2)

137-141: Consider pinning the Trivy version for consistency.

The Setup Trivy step correctly enables caching, which will improve CI performance. However, no Trivy version is specified here, while the production scans (lines 782-786) explicitly pin to v0.62.1. This inconsistency could lead to different Trivy versions running across jobs in the same workflow.

♻️ Suggested version pinning for consistency

 - name: Setup Trivy
   uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1
   with:
     cache: true
+    version: v0.62.1

---

163-167: Consider pinning the Trivy version for consistency.

Same as the scan-code job, this Setup Trivy step should specify version: v0.62.1 to match the production scans and ensure consistent vulnerability detection across all jobs.

♻️ Suggested version pinning

 - name: Setup Trivy
   uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1
   with:
     cache: true
+    version: v0.62.1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d912c99 and 93d21d7.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

🔇 Additional comments (5)

.github/workflows/run-ci-cd.yaml (5)

142-148: LGTM! Correctly reuses cached Trivy DB.

The skip-setup-trivy: true flag appropriately prevents redundant database downloads by reusing the cached DB from the Setup Trivy step.

---

168-174: LGTM! Correctly reuses cached Trivy DB.

The skip-setup-trivy: true flag appropriately prevents redundant setup and reuses the cached database.

---

782-786: LGTM! Good practice pinning the Trivy version.

This Setup Trivy step correctly enables caching and explicitly pins to v0.62.1, ensuring deterministic scans. This version should also be used in the scan-code and scan-ci-dependencies jobs for consistency.

---

788-806: LGTM! Both image scans correctly reuse the cached DB.

Both the backend and frontend image scans appropriately set skip-setup-trivy: true to reuse the cached Trivy database, avoiding redundant downloads.

---

411-442: Verify whether scan-staging-images should also use cached Trivy DB.

The scan-staging-images job was not updated with the Setup Trivy caching pattern, unlike scan-production-images. This means staging image scans will continue re-downloading the Trivy database on each run (~1-2 minutes overhead per the issue).

For consistency and to maximize CI performance gains, consider applying the same caching pattern here:

1. Add a Setup Trivy step with cache: true and version: v0.62.1
2. Add skip-setup-trivy: true to both image scan steps
3. Remove the version: latest parameters from lines 431 and 442

♻️ Suggested changes to enable caching

Add Setup Trivy step after line 420:

- name: Setup Trivy
  uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1
  with:
    cache: true
    version: v0.62.1

Update backend scan:

 - name: Scan backend image
   continue-on-error: true
   uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
   with:
     exit-code: 1
     image-ref: owasp/nest:backend-staging
     scan-type: image
+    skip-setup-trivy: true
     trivy-config: trivy.yaml
     trivyignores: trivyignore.yaml
-    version: latest

Update frontend scan similarly:

 - name: Scan frontend image
   continue-on-error: true
   uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
   with:
     exit-code: 1
     image-ref: owasp/nest:frontend-staging
     scan-type: image
+    skip-setup-trivy: true
     trivy-config: trivy.yaml
     trivyignores: trivyignore.yaml
-    version: latest

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/run-ci-cd.yaml (1)

411-443: Consider applying the same caching pattern for consistency.

The scan-staging-images job doesn't use the Trivy caching pattern that's now implemented in scan-code, scan-ci-dependencies, and scan-production-images. Adding the Setup Trivy step here would improve consistency and CI performance.

♻️ Suggested refactor to add caching

Add the Setup Trivy step after the checkout and remove version: latest from the scan steps:

     - name: Check out repository
       uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
+    - name: Setup Trivy
+      uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1
+      with:
+        cache: true
+
     - name: Scan backend image
       continue-on-error: true
       uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
       with:
         exit-code: 1
         image-ref: owasp/nest:backend-staging
         scan-type: image
+        skip-setup-trivy: true
         trivy-config: trivy.yaml
         trivyignores: trivyignore.yaml
-        version: latest
 
     - name: Scan frontend image
       continue-on-error: true
       uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
       with:
         exit-code: 1
         image-ref: owasp/nest:frontend-staging
         scan-type: image
+        skip-setup-trivy: true
         trivy-config: trivy.yaml
         trivyignores: trivyignore.yaml
-        version: latest

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 93d21d7 and f8dc4a0.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

🔇 Additional comments (2)

.github/workflows/run-ci-cd.yaml (2)

163-174: LGTM! Caching pattern correctly implemented.

The Setup Trivy step and skip-setup-trivy: true parameter are correctly configured. This job will benefit from the cached Trivy database, reducing CI execution time. The implementation is consistent with both the scan-code and scan-production-images jobs.

---

137-148: LGTM! Caching pattern correctly implemented.

The addition of the Setup Trivy step with cache: true and the skip-setup-trivy: true parameter correctly follows the pattern established in the scan-production-images job. This should reduce workflow execution time by caching the Trivy vulnerability database.

Note: The scan-staging-images job still uses version: latest without the Setup Trivy caching step. Consider updating it for consistency if that job's performance is also a concern.