Merge branch '248-job-trivy-add-exit_on_severity-variable-to-improve-job' into 'latest'

[README](https://github.com/aquasecurity/trivy#vulnerability-detection){:target="_blank"}

!!! warning

    With the default configuration, this job will fail if errors are detected.

    With the default configuration, this job will fail if detected errors are in severity `MEDIUM`,`HIGH`,`CRITICAL`.

    It's the recommended configuration to reduce security risks in your

    software. You can disable this behaviour by setting the value `0` to the

    variable `TRIVY_EXIT_CODE`.

    software. You can disable this behaviour by emptying the value of the

    variable `TRIVY_EXIT_ON_SEVERITY`.

## How to use it

|:-|:-|:-

| `TRIVY_VERSION` <img width=450/> | Version of trivy to use. Releases version are available [here](https://github.com/aquasecurity/trivy/releases){:target="_blank"} | `0.9.2` |

| `TRIVY_SEVERITY` | Severities of vulnerabilities to be displayed | `UNKNOWN`,`LOW`,`MEDIUM`,`HIGH`,`CRITICAL`|

| `TRIVY_EXIT_CODE` | Exit code when vulnerabilities were found | 1 |

| `TRIVY_EXIT_ON_SEVERITY` | Severities of vulnerabilities for the job to fail at | `MEDIUM`,`HIGH`,`CRITICAL`|

| `TRIVY_EXIT_CODE` | Exit code when vulnerabilities were found | 0 |

| `TRIVY_VULN_TYPE` | List of vulnerability types | os,library |

| `TRIVY_OUTPUT` | Output file name | junit-report.xml |

| `TRIVY_IGNOREFILE` | Specify .trivyignore file | .trivyignore |

| `TRIVY_CLEAR_CACHE` | Clear image caches without scanning | false |

| `TRIVY_IGNORE_UNFIXED` | Display only fixed vulnerabilities | false |

| `TRIVY_DEBUG` | Debug mode | false |

| `TRIVY_OPTIONS` | Options for command `trivy` | ` ` |

| `DOCKER_HOST` | Daemon socket to connect to | tcp://docker:2375 |

| `TRIVY_TIMEOUT` | Docker timeout | 2m0s |

| `TRIVY_LIGHT` | Trivy faster without descriptions and refs | false |

      command: ["dockerd-entrypoint.sh"]

  variables:

    TRIVY_SEVERITY: "LOW,MEDIUM,HIGH,CRITICAL"

    TRIVY_EXIT_CODE: 1

    TRIVY_SEVERITY: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"

    TRIVY_EXIT_ON_SEVERITY: "MEDIUM,HIGH,CRITICAL"

    TRIVY_EXIT_CODE: 0

    TRIVY_VULN_TYPE: "os,library"

    TRIVY_NO_PROGRESS: "false"

    TRIVY_OUTPUT: "junit-report.xml"

    TRIVY_CLEAR_CACHE: "false"

    TRIVY_IGNORE_UNFIXED: "false"

    TRIVY_DEBUG: "false"

    TRIVY_OPTIONS: ""

    DOCKER_HOST: tcp://docker:2375

    DOCKER_DRIVER: overlay2

    - fi

    - if [ ! -z ${CUSTOM_TAG} ]; then

    -   ./trivy --template "@$TEMPLATE_NAME" -o $TRIVY_OUTPUT $REGISTRY_IMAGE:$CUSTOM_TAG

    -   IMAGE="$REGISTRY_IMAGE:$CUSTOM_TAG"

    - elif [ ! -z ${CI_COMMIT_TAG} ]; then

    -   ./trivy --template "@$TEMPLATE_NAME" -o $TRIVY_OUTPUT $REGISTRY_IMAGE:$CI_COMMIT_TAG

    -   IMAGE="$REGISTRY_IMAGE:$CI_COMMIT_TAG"

    - else

    -   ./trivy --template "@$TEMPLATE_NAME" -o $TRIVY_OUTPUT $REGISTRY_IMAGE:$CI_COMMIT_SHA

    -   IMAGE="$REGISTRY_IMAGE:$CI_COMMIT_SHA"

    - fi

    - if [ ! -z ${TRIVY_EXIT_ON_SEVERITY} ]; then

    -   TRIVY_OPTIONS="--exit-code 1 --severity ${TRIVY_EXIT_ON_SEVERITY} --output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS}"

    - else

        TRIVY_OPTIONS="--output ${TRIVY_OUTPUT} ${TRIVY_OPTIONS}"

    - fi

    - ./trivy --template "@${TEMPLATE_NAME}" ${TRIVY_OPTIONS} $IMAGE

  cache:

    paths:

      - "$TRIVY_CACHE_DIR"

      junit: "$TRIVY_OUTPUT"

    expire_in: 30 days

    when: always

* Add ability to exit on a particular severity

* Add possibility to append options for command `trivy`

 No newline at end of file