Loading security/trivy.yml +21 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,27 @@ variables: name: aquasec/trivy entrypoint: [""] .trivy:image: extends: .trivy script: - trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt - | if $(grep -qE ${TRIVY_DENYLIST_REGEX:-CVE-xxx} ${CI_PROJECT_DIR}/trivy.txt); then echo "[!] Detected vulnerability that matches provided TRIVY_DENYLIST_REGEX: ${TRIVY_DENYLIST_REGEX}." exit 1 fi - | if ! trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 fi - echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." artifacts: paths: - trivy.txt .trivy:sbom: extends: .trivy script: Loading Loading
security/trivy.yml +21 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,27 @@ variables: name: aquasec/trivy entrypoint: [""] .trivy:image: extends: .trivy script: - trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt - | if $(grep -qE ${TRIVY_DENYLIST_REGEX:-CVE-xxx} ${CI_PROJECT_DIR}/trivy.txt); then echo "[!] Detected vulnerability that matches provided TRIVY_DENYLIST_REGEX: ${TRIVY_DENYLIST_REGEX}." exit 1 fi - | if ! trivy image $TRIVY_IMAGE_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 fi - echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." artifacts: paths: - trivy.txt .trivy:sbom: extends: .trivy script: Loading
