Loading python/cyclonedx.yml 0 → 100644 +36 −0 Original line number Diff line number Diff line --- include: - local: security/trivy.yml - local: python/generic.yml .freeze-dependencies: &freeze-dependencies - python3 -m venv .venv - source .venv/bin/activate - !reference [".python:pre-install", script] - python3 -m pip freeze > ${CI_PROJECT_DIR}/requirements-cyclonedx.txt - deactivate python:cyclonedx: extends: .python:pre variables: JOB_PACKAGE: cyclonedx-bom script: - !reference [".python:pre", script] - *freeze-dependencies - cyclonedx-py requirements ${CI_PROJECT_DIR}/requirements-cyclonedx.txt --outfile ${CI_PROJECT_DIR}/cyclonedx.json artifacts: paths: - pip-log.txt - requirements-cyclonedx.txt - cyclonedx.json reports: cyclonedx: - cyclonedx.json when: always trivy:python: extends: .trivy:sbom variables: TRIVY_TARGET: cyclonedx.json needs: ["python:cyclonedx"] security/trivy.yml 0 → 100644 +21 −0 Original line number Diff line number Diff line --- variables: TRIVY_SEVERITIES: HIGH,CRITICAL # comma-separated list of severities to fail on (LOW,MEDIUM,HIGH,CRITICAL) .trivy: image: name: aquasec/trivy entrypoint: [""] .trivy:sbom: extends: .trivy script: - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET - | if ! trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 else echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." exit 0 fi Loading
python/cyclonedx.yml 0 → 100644 +36 −0 Original line number Diff line number Diff line --- include: - local: security/trivy.yml - local: python/generic.yml .freeze-dependencies: &freeze-dependencies - python3 -m venv .venv - source .venv/bin/activate - !reference [".python:pre-install", script] - python3 -m pip freeze > ${CI_PROJECT_DIR}/requirements-cyclonedx.txt - deactivate python:cyclonedx: extends: .python:pre variables: JOB_PACKAGE: cyclonedx-bom script: - !reference [".python:pre", script] - *freeze-dependencies - cyclonedx-py requirements ${CI_PROJECT_DIR}/requirements-cyclonedx.txt --outfile ${CI_PROJECT_DIR}/cyclonedx.json artifacts: paths: - pip-log.txt - requirements-cyclonedx.txt - cyclonedx.json reports: cyclonedx: - cyclonedx.json when: always trivy:python: extends: .trivy:sbom variables: TRIVY_TARGET: cyclonedx.json needs: ["python:cyclonedx"]
security/trivy.yml 0 → 100644 +21 −0 Original line number Diff line number Diff line --- variables: TRIVY_SEVERITIES: HIGH,CRITICAL # comma-separated list of severities to fail on (LOW,MEDIUM,HIGH,CRITICAL) .trivy: image: name: aquasec/trivy entrypoint: [""] .trivy:sbom: extends: .trivy script: - trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET - | if ! trivy sbom $TRIVY_SBOM_ARGS $TRIVY_TARGET --exit-code 1 --severity $TRIVY_SEVERITIES &>/dev/null; then echo "[!] Detected vulnerabilities with severity $TRIVY_SEVERITIES." exit 1 else echo "[+] Found no vulnerabilities with severity $TRIVY_SEVERITIES." exit 0 fi
