fix(scan-docker-image): grype DB should be downloaded at least daily (#329)

LorenzoScebba · web-flow · commit 0d5de5a9f61e · 2025-10-13T11:06:46.000+02:00
diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml
@@ -176,15 +176,21 @@ runs:
       env:
         grype: ${{ steps.grype.outputs.grype-path }}
 
+    - name: Get current date
+      id: date
+      shell: bash
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
     # Explicitly check for Grype DB in Git Cache
     - name: Check Git Cache for Grype DB
       id: grype_db_git_cache
       uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS
         path: ~/.cache/grype/db
+        # Given the DB should not be less than 5 days old let's refetch it at least once per day
         key: |
-          cache_grype_db_v${{ steps.grype_metadata.outputs.grype_db_schema }}
+          cache_grype_db_v${{ steps.grype_metadata.outputs.grype_db_schema }}_${{ steps.date.outputs.date }}
 
     # Explicitly check for Grype DB in specified mirror
     - name: Parse Grype DB cache input
