Merge branch '649-update-trivy-version' into 'latest' (3a643647) · Commits · mirror-bot / Hub

jobs/trivy_image/CHANGELOG.md

+3 −0

Original line number	Diff line number	Diff line
		# Changelog
		All notable changes to this job will be documented in this file.

		## [1.2.0] - 2022-10-10
		* Update trivy and docker images versions

		## [1.1.0] - 2022-06-13
		* Add docker image tag in variable

jobs/trivy_image/README.md

+20 −20

Original line number	Diff line number	Diff line
		@@ -25,33 +25,33 @@ vulnerability detection capabilities are available in its official

		\| Name \| Description \| Default \|
		\| ---- \| ----------- \| ------- \|
		\| `TRIVY_VERSION` <img width=450/> \| Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} \| `0.9.2` \|
		\| `TRIVY_VERSION` <img width=450/> \| Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} \| `0.32.1` \|
		\| `TRIVY_SEVERITY` \| Severities of vulnerabilities to be displayed \| `UNKNOWN`,`LOW`,`MEDIUM`,`HIGH`,`CRITICAL`\|
		\| `TRIVY_EXIT_ON_SEVERITY` \| Severities of vulnerabilities for the job to fail at \| `MEDIUM`,`HIGH`,`CRITICAL`\|
		\| `TRIVY_EXIT_CODE` \| Exit code when vulnerabilities were found \| 0 \|
		\| `TRIVY_VULN_TYPE` \| List of vulnerability types \| os,library \|
		\| `TRIVY_OUTPUT` \| Output file name \| junit-report.xml \|
		\| `TRIVY_IGNOREFILE` \| Specify .trivyignore file \| .trivyignore \|
		\| `TRIVY_CACHE_DIR` \| cache directory \| .trivycache/
		\| `TRIVY_FORMAT` \| Format (table, json, template) \| template \|
		\| `TEMPLATE_NAME` \| Name of used template \| junit.tpl \|
		\| `TRIVY_CLEAR_CACHE` \| Clear image caches without scanning \| false \|
		\| `TRIVY_IGNORE_UNFIXED` \| Display only fixed vulnerabilities \| false \|
		\| `TRIVY_DEBUG` \| Debug mode \| false \|
		\| `TRIVY_EXIT_CODE` \| Exit code when vulnerabilities were found \| `0` \|
		\| `TRIVY_VULN_TYPE` \| List of vulnerability types \| `os,library` \|
		\| `TRIVY_OUTPUT` \| Output file name \| `junit-report.xml` \|
		\| `TRIVY_IGNOREFILE` \| Specify .trivyignore file \| `.trivyignore` \|
		\| `TRIVY_CACHE_DIR` \| cache directory \| `.trivycache/`
		\| `TRIVY_FORMAT` \| Format (table, json, template) \| `template` \|
		\| `TEMPLATE_NAME` \| Name of used template \| `junit.tpl` \|
		\| `TRIVY_CLEAR_CACHE` \| Clear image caches without scanning \| `false` \|
		\| `TRIVY_IGNORE_UNFIXED` \| Display only fixed vulnerabilities \| `false` \|
		\| `TRIVY_DEBUG` \| Debug mode \| `false` \|
		\| `TRIVY_OPTIONS` \| Options for command `trivy` \| ` ` \|
		\| `DOCKER_HOST` \| Daemon socket to connect to \| tcp://docker:2375 \|
		\| `TRIVY_TIMEOUT` \| Docker timeout \| 2m0s \|
		\| `TRIVY_LIGHT` \| Trivy faster without descriptions and refs \| false \|
		\| `TRIVY_DOWNLOAD_DB_ONLY` \| Download vulnerability database without scan \| false \|
		\| `TRIVY_NO_PROGRESS` \| Suppress progress bar \| false \|
		\| `TRIVY_QUIET` \| Suppress progress bar and log output \| false \|
		\| `TRIVY_SKIP_UPDATE` \| Skip vulnerability database update \| false \|
		\| `TRIVY_REMOVED_PKGS` \| Detect vulns of Alpine removed packages \| false \|
		\| `DOCKER_HOST` \| Daemon socket to connect to \| `tcp://docker:2375` \|
		\| `TRIVY_TIMEOUT` \| Docker timeout \| `2m0s` \|
		\| `TRIVY_LIGHT` \| Trivy faster without descriptions and refs \| `false` \|
		\| `TRIVY_DOWNLOAD_DB_ONLY` \| Download vulnerability database without scan \| `false` \|
		\| `TRIVY_NO_PROGRESS` \| Suppress progress bar \| `false` \|
		\| `TRIVY_QUIET` \| Suppress progress bar and log output \| `false` \|
		\| `TRIVY_SKIP_UPDATE` \| Skip vulnerability database update \| `false` \|
		\| `TRIVY_REMOVED_PKGS` \| Detect vulns of Alpine removed packages \| `false` \|
		\| `CUSTOM_REGISTRY` \| If you use another registry than your gitlab instance's one \| ` ` \|
		\| `REGISTRY_USER` \| User to use for authenticating `CUSTOM_REGISTRY` \| ` ` \|
		\| `REGISTRY_PASSWORD` \| Password to use for authenticating `CUSTOM_REGISTRY` \| ` ` \|
		\| `CUSTOM_TAG` \| If you want to use another tag beside `CI_COMMIT_SHA` or `CI_COMMIT_TAG` \| ` ` \|
		\| `IMAGE_TAG` \| The default tag for the docker image \| `19.03` \|
		\| `IMAGE_TAG` \| The default tag for the docker image \| `20.10` \|

		## Artifacts

jobs/trivy_image/trivy_image.yml

+7 −7

Original line number	Diff line number	Diff line
		@@ -19,8 +19,8 @@ trivy_image:
		TRIVY_VULN_TYPE: "os,library"
		TRIVY_NO_PROGRESS: "false"
		TRIVY_OUTPUT: "junit-report.xml"
		TRIVY_IGNOREFILE: .trivyignore
		TRIVY_CACHE_DIR: .trivycache/
		TRIVY_IGNOREFILE: ".trivyignore"
		TRIVY_CACHE_DIR: ".trivycache/"
		TRIVY_FORMAT: "template"
		TEMPLATE_NAME: "junit.tpl"
		TRIVY_CLEAR_CACHE: "false"
		@@ -31,7 +31,7 @@ trivy_image:
		DOCKER_HOST: tcp://docker:2375
		DOCKER_DRIVER: overlay2
		DOCKER_TLS_CERTDIR: ""
		TRIVY_VERSION: "0.9.2"
		TRIVY_VERSION: "0.32.1"
		TRIVY_REMOTE: ""
		TRIVY_TIMEOUT: ""
		TRIVY_LIGHT: "false"
		@@ -45,7 +45,7 @@ trivy_image:
		REGISTRY_PASSWORD: ""
		CUSTOM_TAG: ""

		IMAGE_TAG: "19.03"
		IMAGE_TAG: "20.10"
		script:
		- wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
		- tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
		@@ -68,10 +68,10 @@ trivy_image:
		- fi

		# Build report
		- ./trivy --template "@${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE
		- ./trivy image --format template --template "@${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE
		# Fail on severe vulnerabilities
		- if [ ! -z ${TRIVY_EXIT_ON_SEVERITY} ]; then
		- ./trivy --exit-code 1 --severity ${TRIVY_EXIT_ON_SEVERITY} --template "@${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output failed.${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE
		- ./trivy image --exit-code 1 --severity ${TRIVY_EXIT_ON_SEVERITY} --template "@contrib/${TEMPLATE_NAME}" --cache-dir ${TRIVY_CACHE_DIR} --output failed.${TRIVY_OUTPUT} ${TRIVY_OPTIONS} $IMAGE
		- fi

Original line number	Diff line number	Diff line
		@@ -25,33 +25,33 @@ vulnerability detection capabilities are available in its official

		\| Name \| Description \| Default \|
		\| ---- \| ----------- \| ------- \|
		\| `TRIVY_VERSION` <img width=450/> \| Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} \| `0.9.2` \|
		\| `TRIVY_VERSION` <img width=450/> \| Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} \| `0.32.1` \|
		\| `TRIVY_SEVERITY` \| Severities of vulnerabilities to be displayed \| `UNKNOWN`,`LOW`,`MEDIUM`,`HIGH`,`CRITICAL`\|
		\| `TRIVY_EXIT_ON_SEVERITY` \| Severities of vulnerabilities for the job to fail at \| `MEDIUM`,`HIGH`,`CRITICAL`\|
		\| `TRIVY_EXIT_CODE` \| Exit code when vulnerabilities were found \| 0 \|
		\| `TRIVY_VULN_TYPE` \| List of vulnerability types \| os,library \|
		\| `TRIVY_OUTPUT` \| Output file name \| junit-report.xml \|
		\| `TRIVY_IGNOREFILE` \| Specify .trivyignore file \| .trivyignore \|
		\| `TRIVY_CACHE_DIR` \| cache directory \| .trivycache/
		\| `TRIVY_FORMAT` \| Format (table, json, template) \| template \|
		\| `TEMPLATE_NAME` \| Name of used template \| junit.tpl \|
		\| `TRIVY_CLEAR_CACHE` \| Clear image caches without scanning \| false \|
		\| `TRIVY_IGNORE_UNFIXED` \| Display only fixed vulnerabilities \| false \|
		\| `TRIVY_DEBUG` \| Debug mode \| false \|
		\| `TRIVY_EXIT_CODE` \| Exit code when vulnerabilities were found \| `0` \|
		\| `TRIVY_VULN_TYPE` \| List of vulnerability types \| `os,library` \|
		\| `TRIVY_OUTPUT` \| Output file name \| `junit-report.xml` \|
		\| `TRIVY_IGNOREFILE` \| Specify .trivyignore file \| `.trivyignore` \|
		\| `TRIVY_CACHE_DIR` \| cache directory \| `.trivycache/`
		\| `TRIVY_FORMAT` \| Format (table, json, template) \| `template` \|
		\| `TEMPLATE_NAME` \| Name of used template \| `junit.tpl` \|
		\| `TRIVY_CLEAR_CACHE` \| Clear image caches without scanning \| `false` \|
		\| `TRIVY_IGNORE_UNFIXED` \| Display only fixed vulnerabilities \| `false` \|
		\| `TRIVY_DEBUG` \| Debug mode \| `false` \|
		\| `TRIVY_OPTIONS` \| Options for command `trivy` \| ` ` \|
		\| `DOCKER_HOST` \| Daemon socket to connect to \| tcp://docker:2375 \|
		\| `TRIVY_TIMEOUT` \| Docker timeout \| 2m0s \|
		\| `TRIVY_LIGHT` \| Trivy faster without descriptions and refs \| false \|
		\| `TRIVY_DOWNLOAD_DB_ONLY` \| Download vulnerability database without scan \| false \|
		\| `TRIVY_NO_PROGRESS` \| Suppress progress bar \| false \|
		\| `TRIVY_QUIET` \| Suppress progress bar and log output \| false \|
		\| `TRIVY_SKIP_UPDATE` \| Skip vulnerability database update \| false \|
		\| `TRIVY_REMOVED_PKGS` \| Detect vulns of Alpine removed packages \| false \|
		\| `DOCKER_HOST` \| Daemon socket to connect to \| `tcp://docker:2375` \|
		\| `TRIVY_TIMEOUT` \| Docker timeout \| `2m0s` \|
		\| `TRIVY_LIGHT` \| Trivy faster without descriptions and refs \| `false` \|
		\| `TRIVY_DOWNLOAD_DB_ONLY` \| Download vulnerability database without scan \| `false` \|
		\| `TRIVY_NO_PROGRESS` \| Suppress progress bar \| `false` \|
		\| `TRIVY_QUIET` \| Suppress progress bar and log output \| `false` \|
		\| `TRIVY_SKIP_UPDATE` \| Skip vulnerability database update \| `false` \|
		\| `TRIVY_REMOVED_PKGS` \| Detect vulns of Alpine removed packages \| `false` \|
		\| `CUSTOM_REGISTRY` \| If you use another registry than your gitlab instance's one \| ` ` \|
		\| `REGISTRY_USER` \| User to use for authenticating `CUSTOM_REGISTRY` \| ` ` \|
		\| `REGISTRY_PASSWORD` \| Password to use for authenticating `CUSTOM_REGISTRY` \| ` ` \|
		\| `CUSTOM_TAG` \| If you want to use another tag beside `CI_COMMIT_SHA` or `CI_COMMIT_TAG` \| ` ` \|
		\| `IMAGE_TAG` \| The default tag for the docker image \| `19.03` \|
		\| `IMAGE_TAG` \| The default tag for the docker image \| `20.10` \|

		## Artifacts