Merge branch '409-job-trivy-add-exit_on_severity-variable-to-improve-job' into 'latest'

templating

Templating

auths

severities

 No newline at end of file

[README](https://github.com/aquasecurity/trivy#vulnerability-detection){:target="_blank"}

!!! warning

    With the default configuration, this job will fail if errors are detected.

    With the default configuration, this job will fail if detected errors are in severity `MEDIUM`,`HIGH`,`CRITICAL`.

    It's the recommended configuration to reduce security risks in your

    software. You can disable this behavior by setting the value `0` to the

    variable `TRIVY_EXIT_CODE`.

    software. You can disable this behaviour by emptying the value of the

    variable `TRIVY_EXIT_ON_SEVERITY`.

## How to use it

|:-|:-|:-

| `TRIVY_VERSION` | Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} | `0.12.0` |

| `TRIVY_SEVERITY` | Severity of vulnerabilities to be displayed | `UNKNOWN`,`LOW`,`MEDIUM`,`HIGH`,`CRITICAL`|

| `TRIVY_EXIT_CODE` | Exit code when vulnerabilities were found | 1 |

| `TRIVY_EXIT_ON_SEVERITY` | Severities of vulnerabilities for the job to fail at | `MEDIUM`,`HIGH`,`CRITICAL`|

| `TRIVY_EXIT_CODE` | Exit code when vulnerabilities were found | 0 |

| `TRIVY_VULN_TYPE` | List of vulnerability types | os,library |

| `TRIVY_OPTIONS` | Options for command `trivy` | ` ` |

| `TRIVY_OUTPUT` | Output file name | junit-report.xml |

| `TRIVY_IGNOREFILE` | Specify .trivyignore file | .trivyignore |

| `TRIVY_CACHE_DIR` | cache directory | .trivycache/

    entrypoint: [""]

  variables:

    TRIVY_SEVERITY: "LOW,MEDIUM,HIGH,CRITICAL"

    TRIVY_EXIT_CODE: 1

    TRIVY_EXIT_ON_SEVERITY: "MEDIUM,HIGH,CRITICAL"

    TRIVY_EXIT_CODE: 0

    TRIVY_VULN_TYPE: "library"

    TRIVY_NO_PROGRESS: "false"

    TRIVY_OUTPUT: "junit-report.xml"

    TRIVY_CLEAR_CACHE: "false"

    TRIVY_IGNORE_UNFIXED: "false"

    TRIVY_DEBUG: "false"

    TRIVY_OPTIONS: ""

    TRIVY_VERSION: "0.12.0"

    TRIVY_REMOTE: ""

    TRIVY_SKIP_UPDATE: "false"

  script:

    - trivy fs --template "@${TRIVY_TEMPLATE_DIRECTORY}/${TEMPLATE_NAME}" -o ${TRIVY_OUTPUT} ./

    # Build report

    - trivy fs --template "@${TRIVY_TEMPLATE_DIRECTORY}/${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS} ./

    # Fail on severe vulnerabilities

    - if [ ! -z ${TRIVY_EXIT_ON_SEVERITY} ]; then

    -   trivy fs --exit-code 1 --template "@${TRIVY_TEMPLATE_DIRECTORY}/${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --severity ${TRIVY_EXIT_ON_SEVERITY} --output failed.${TRIVY_OUTPUT} ${TRIVY_OPTIONS} ./

    - fi

  cache:

    paths:

      - "${TRIVY_CACHE_DIR}"

* Add ability to exit on a particular severity

* Add possibility to append options for command `trivy`

* Change default value for `TRIVY_EXIT_CODE`

 No newline at end of file

    -   IMAGE="$REGISTRY_IMAGE:$CI_COMMIT_SHA"

    - fi

    # Build report

    - ./trivy --template "@${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE

    # Fail on severe vulnerabilities

    - if [ ! -z ${TRIVY_EXIT_ON_SEVERITY} ]; then

    -   TRIVY_OPTIONS="--exit-code 1 --severity ${TRIVY_EXIT_ON_SEVERITY} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS}"

    - else

        TRIVY_OPTIONS="--output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS}"

    -   ./trivy --exit-code 1 --severity ${TRIVY_EXIT_ON_SEVERITY} --template "@${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output failed.${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE

    - fi

    - ./trivy --template "@${TEMPLATE_NAME}" ${TRIVY_OPTIONS} $IMAGE

  cache:

    paths: