Commit 57c584ac authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/use-trivy-variables' into 'master' 

refactor(trivy): enforce usage of Trivy environment variables

See merge request to-be-continuous/cnb!34
parents fac2cb98 cb6ffe95

README.md

+15 −11
Original line number Diff line number Diff line
@@ -199,15 +199,15 @@ Examples or User-Provided variables: 


### `cnb-trivy` job



This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.

This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image.



Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.

Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode.



If you want to run Trivy in client/server mode, you need to set the `CNB_TRIVY_ADDR` environment variable.

If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable.



```yaml

variables:

  CNB_TRIVY_ADDR: "https://trivy.acme.host"

  TRIVY_SERVER: "https://trivy.acme.host"

```



It is bound to the `package-test` stage, and uses the following variables:
@@ -215,19 +215,23 @@ It is bound to the `package-test` stage, and uses the following variables: 
| Input / Variable | Description                            | Default value     |

| ---------------------- | -------------------------------------- | ----------------- |

| `trivy-image` / `CNB_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |

| `trivy-addr` / `CNB_TRIVY_ADDR` | The Trivy server address (for client/server mode)              | _(none: standalone mode)_  |

| `trivy-security-level-threshold` / `CNB_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |

| `trivy-disabled` / `CNB_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis          | _(none)_ |

| `trivy-args` / `CNB_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |

| `trivy-db-repository` / `CNB_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |

| `trivy-java-db-repository` / `CNB_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |

| `trivy-args` / `CNB_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |



Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).

Examples:



* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)

* `TRIVY_SERVER`: server address (enables client/server mode)

* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from

* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from



In addition to a textual report in the console, this job produces the following reports, kept for one day:



| Report                            | Format                                                                       | Usage             |

|-----------------------------------| ---------------------------------------------------------------------------- | ----------------- |

| `reports/cnb-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |

| `reports/cnb-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |

| `reports/cnb-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://documentation.defectdojo.com/integrations/parsers/file/trivy)<br/>_This report is generated only if DefectDojo template is detected_ |

| `reports/cnb-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |



### `cnb-publish` job

kicker.json

+2 −24
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ 
    {

      "id": "trivy",

      "name": "Trivy",

      "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",

      "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",

      "disable_with": "CNB_TRIVY_DISABLED",

      "variables": [

        {
@@ -53,33 +53,11 @@ 
          "default": "registry.hub.docker.com/aquasec/trivy:latest",

          "advanced": true

        },

        {

          "name": "CNB_TRIVY_ADDR",

          "type": "url",

          "description": "The Trivy server address"

        },

        {

          "name": "CNB_TRIVY_SECURITY_LEVEL_THRESHOLD",

          "type": "enum",

          "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],

          "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",

          "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"

        },

        {

          "name": "CNB_TRIVY_ARGS",

          "description": "Additional `trivy client` arguments",

          "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",

          "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",

          "advanced": true

        },

        {

          "name": "CNB_TRIVY_DB_REPOSITORY",

          "description": "OCI repository to retrieve Trivy Database from",

          "advanced": true

        },

        {

          "name": "CNB_TRIVY_JAVA_DB_REPOSITORY",

          "description": "OCI repository to retrieve Trivy Java Database from",

          "advanced": true

        }

      ]

    },

templates/gitlab-ci-cnb.yml

+13 −43
Original line number Diff line number Diff line
@@ -57,27 +57,9 @@ spec: 
    trivy-image:

      description: The docker image used to scan images with Trivy

      default: registry.hub.docker.com/aquasec/trivy:latest

    trivy-addr:

      description: The Trivy server address

      default: ''

    trivy-security-level-threshold:

      description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'

      options:

        - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

        - LOW,MEDIUM,HIGH,CRITICAL

        - MEDIUM,HIGH,CRITICAL

        - HIGH,CRITICAL

        - CRITICAL

      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

    trivy-args:

      description: Additional `trivy client` arguments

      description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)

      default: --ignore-unfixed --vuln-type os --exit-on-eol 1

    trivy-db-repository:

      description: Custom OCI repository to retrieve Trivy Database from

      default: ''

    trivy-java-db-repository:

      description: Custom Java DB repository path

      default: ''

---

workflow:

  rules:
@@ -146,14 +128,9 @@ variables: 
  CNB_PUBLISH_ARGS: $[[ inputs.publish-args ]]



  # default trivy

  CNB_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]

  CNB_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  CNB_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  CNB_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]

  CNB_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]



  CNB_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]

  CNB_TRIVY_ADDR: $[[ inputs.trivy-addr ]]

  

  # default production ref name (pattern)

  PROD_REF: /^(master|main)$/
@@ -510,26 +487,19 @@ cnb-trivy: 
    export TRIVY_PASSWORD=${CNB_REGISTRY_SNAPSHOT_PASSWORD:-${CNB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}

    basename=$(echo "${CNB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    mkdir -p ./reports

    if [[ -z "${CNB_TRIVY_ADDR}" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the CNB_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

      trivy image --download-db-only ${CNB_TRIVY_DB_REPOSITORY:+--db-repository $CNB_TRIVY_DB_REPOSITORY} ${CNB_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $CNB_TRIVY_JAVA_DB_REPOSITORY}

      export trivy_opts="image"

    else

      log_info "You are using Trivy in client/server mode with the following server: ${CNB_TRIVY_ADDR}"

      export trivy_opts="image --server ${CNB_TRIVY_ADDR}"

    if [[ -z "$TRIVY_SERVER" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

    fi

    # Add common trivy arguments

    # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository

    export trivy_opts="${trivy_opts} ${CNB_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $CNB_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${CNB_TRIVY_SECURITY_LEVEL_THRESHOLD} ${CNB_TRIVY_ARGS}"

    # GitLab format (no fail)

    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/cnb-trivy-${basename}.gitlab.json $CNB_SNAPSHOT_IMAGE

    # JSON format (no fail)

    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]

    then

      trivy ${trivy_opts} --format json --exit-code 0 --output reports/cnb-trivy-${basename}.native.json $CNB_SNAPSHOT_IMAGE

    fi

    # console output (fail)

    trivy ${trivy_opts} --format table --exit-code 1 $CNB_SNAPSHOT_IMAGE

    # Generate the native JSON report that can later be converted to other formats

    trivy image --no-progress ${CNB_TRIVY_ARGS} --exit-code 1 --format json --output reports/cnb-trivy-${basename}.native.json $CNB_SNAPSHOT_IMAGE || exit_code=$?



    # Generate a report in the GitLab format

    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/cnb-trivy-${basename}.gitlab.json reports/cnb-trivy-${basename}.native.json



    # console output

    trivy convert --format table reports/cnb-trivy-${basename}.native.json



    exit $exit_code

  artifacts:

    when: always

    paths: