Loading security/trivy.yml +12 −4 Original line number Diff line number Diff line Loading @@ -10,12 +10,20 @@ variables: .trivy:sbom: extends: .trivy script: - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt - | if $(grep -qE ${TRIVY_DENYLIST_REGEX:-CVE-xxx} ${CI_PROJECT_DIR}/trivy.txt); then echo "[!] Detected vulnerability that matches provided TRIVY_DENYLIST_REGEX: ${TRIVY_DENYLIST_REGEX}." exit 1 fi - | if ! trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 else echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." exit 0 fi - echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." artifacts: paths: - trivy.txt Loading
security/trivy.yml +12 −4 Original line number Diff line number Diff line Loading @@ -10,12 +10,20 @@ variables: .trivy:sbom: extends: .trivy script: - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --output ${CI_PROJECT_DIR}/trivy.txt - cat ${CI_PROJECT_DIR}/trivy.txt - | if $(grep -qE ${TRIVY_DENYLIST_REGEX:-CVE-xxx} ${CI_PROJECT_DIR}/trivy.txt); then echo "[!] Detected vulnerability that matches provided TRIVY_DENYLIST_REGEX: ${TRIVY_DENYLIST_REGEX}." exit 1 fi - | if ! trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 else echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." exit 0 fi - echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." artifacts: paths: - trivy.txt
