feat(security): run vulnerability scan on default images and show reports

stages:

  - codegen

  - build

  - test

  - deploy

    name: "aggregated kicker json from $CI_COMMIT_REF_SLUG"

    paths:

      - kicker-aggregated.json

      - tbc-default-images.out

      - mkdocs.yml

      - docs/ref/

      - docs/secu/

scan-images:

  image:

    name: "registry.hub.docker.com/aquasec/trivy:latest"

    entrypoint: [""]

  cache:

    key: "$CI_COMMIT_REF_SLUG-trivy"

    paths:

      - .cache

  stage: codegen

  script:

    - ./scan-images.sh

  allow_failure: true

  artifacts:

    when: always

    paths:

      # - "reports/trivy-*"

      - docs/secu/

    # reports:

    #   container_scanning: "reports/trivy-*.gitlab.json"

check-links:

  image:

    entrypoint: [""]

  stage: build

  script:

    - lychee --exclude http://127.0.0.1 --exclude https://my-nonprod-k8s.domain --exclude "/static/intro$" --exclude-path SECURITY.md --exclude-path docs/ref/templates-stages-body.part.html *.md docs/ static/

    - lychee --exclude http://127.0.0.1 --exclude https://my-nonprod-k8s.domain --exclude '/static/intro$' --exclude-path SECURITY.md --exclude-path docs/ref/templates-stages-body.part.html --exclude-path docs/secu/ *.md docs/ static/

  allow_failure: true

# publish on GitLab pages: only on master

  color: #ff7900;

}

/* ============== */

/* Specific parts */

/* ============== */

/* ====================== */

/* TBC templates & stages */

/* ====================== */

/* Note: we use a class on thead element in order to reuse any other CSS by mkdocs */

.md-typeset .tbc-stages th, .md-typeset .tbc-stages td {

  font-size: large;

  vertical-align: middle;

  margin-right: .25rem;

}

/* ============= */

/* Trivy reports */

/* ============= */

.trivy .pkg-name, .trivy .severity { font-weight: bold; }

.trivy td { padding: .4em .6em !important; }

.trivy.severity-LOW .severity { background-color: #5fbb31; }

.trivy.severity-MEDIUM .severity { background-color: #e9c600; }

.trivy.severity-HIGH .severity { background-color: #ff8800; }

.trivy.severity-CRITICAL .severity { background-color: #e40000; }

.trivy.severity-UNKNOWN .severity { background-color: #747474; }

.trivy.severity-LOW { background-color: #5fbb3160; }

.trivy.severity-MEDIUM { background-color: #e9c60060; }

.trivy.severity-HIGH { background-color: #ff880060; }

.trivy.severity-CRITICAL { background-color: #e4000060; }

.trivy.severity-UNKNOWN { background-color: #74747460; }

.trivy .links a, .trivy .links[data-more-links=on] a {

  display: block;

  white-space: nowrap;

}

.trivy .links[data-more-links=off] a:nth-of-type(1n+4) {

  display: none;

}

Here is the list of [generic stages](../understand.md#generic-pipeline-stages) used by each _to-be-continuous_ template:

<table>

<thead class="tbc-stages">

<thead class="tbc-stages"><tr>

--8<-- "docs/ref/templates-stages-head.part.html"

</thead>

</tr></thead>

<tbody class="tbc-stages">

--8<-- "docs/ref/templates-stages-body.part.html"

</tbody>

# Security

!!! WARNING

    _to be continuous_ templates use to embed required tools as **container images**.

    As much as we can, we try to select either **official images** (ex: Maven, Python), or at least images maintained by an **active community**.

    Each of those images can be freely overridden with the appropriate configuration variable to select _fixed versions_ ([more info here](../usage.md#docker-images-versions)) or any alternative that would suit you more. 

    _to be continuous_ is not responsible of any possible security issue from a default container image.

    If a vulnerability would be found in an image used by default, you could address it in one of the following ways:

    - report the vulnerability to the owning project,

    - select an other version or alternative of the image that fixes the issue,

    - build and use your own, vulnerability-free image.

## Vulnerability Reports (Trivy)

Here are vulnerability reports for each default image used by _to be continuous_ templates (generated every day):

<table>

<thead><tr>

<th>Template</th>

<th>Image Variable</th>

<th>Default Image</th>

</tr></thead>

<tbody>

--8<-- "docs/secu/trivy-reports-body.part.html"

</tbody>

</table>

 No newline at end of file

<!-- Amazon Web Services --><tr class="img-main"><td>Amazon Web Services</td><td><a href="trivy-AWS_CLI_IMAGE">AWS_CLI_IMAGE</a></td><td>registry.hub.docker.com/amazon/aws-cli:latest</td></tr>

<!-- Ansible --><tr class="img-main"><td>Ansible</td><td><a href="trivy-ANSIBLE_IMAGE">ANSIBLE_IMAGE</a></td><td>registry.hub.docker.com/cytopia/ansible:latest-tools</td></tr>

<!-- Angular --><tr class="img-main"><td>Angular</td><td><a href="trivy-NG_CLI_IMAGE">NG_CLI_IMAGE</a></td><td>registry.hub.docker.com/trion/ng-cli-karma:latest</td></tr>

<!-- Ansible --><tr class="img-feat"><td>Ansible</td><td><a href="trivy-ANSIBLE_LINT_IMAGE">ANSIBLE_LINT_IMAGE</a></td><td>registry.hub.docker.com/haxorof/ansible-lint:latest</td></tr>

<!-- Bash --><tr class="img-feat"><td>Bash</td><td><a href="trivy-BASH_BATS_IMAGE">BASH_BATS_IMAGE</a></td><td>registry.hub.docker.com/bats/bats:latest</td></tr>

<!-- Bash --><tr class="img-feat"><td>Bash</td><td><a href="trivy-BASH_SHELLCHECK_IMAGE">BASH_SHELLCHECK_IMAGE</a></td><td>registry.hub.docker.com/koalaman/shellcheck-alpine:stable</td></tr>

<!-- Cloud Foundry --><tr class="img-main"><td>Cloud Foundry</td><td><a href="trivy-CF_CLI_IMAGE">CF_CLI_IMAGE</a></td><td>registry.hub.docker.com/governmentpaas/cf-cli</td></tr>

<!-- Cloud Native Buildpacks --><tr class="img-main"><td>Cloud Native Buildpacks</td><td><a href="trivy-CNB_BUILDER_IMAGE">CNB_BUILDER_IMAGE</a></td><td>registry.hub.docker.com/paketobuildpacks/builder:base</td></tr>

<!-- Cloud Native Buildpacks --><tr class="img-feat"><td>Cloud Native Buildpacks</td><td><a href="trivy-CNB_SKOPEO_IMAGE">CNB_SKOPEO_IMAGE</a></td><td>quay.io/skopeo/stable:latest</td></tr>

<!-- Cypress --><tr class="img-main"><td>Cypress</td><td><a href="trivy-CYPRESS_IMAGE">CYPRESS_IMAGE</a></td><td>registry.hub.docker.com/cypress/included:12.0.2</td></tr>

<!-- dbt --><tr class="img-main"><td>dbt</td><td><a href="trivy-DBT_IMAGE">DBT_IMAGE</a></td><td>registry.hub.docker.com/library/python:latest</td></tr>

<!-- DefectDojo --><tr class="img-main"><td>DefectDojo</td><td><a href="trivy-DEFECTDOJO_BASE_IMAGE">DEFECTDOJO_BASE_IMAGE</a></td><td>registry.hub.docker.com/library/node:alpine3.11</td></tr>

<!-- Docker --><tr class="img-main"><td>Docker</td><td><a href="trivy-DOCKER_DIND_IMAGE">DOCKER_DIND_IMAGE</a></td><td>registry.hub.docker.com/library/docker:dind</td></tr>

<!-- Docker --><tr class="img-main"><td>Docker</td><td><a href="trivy-DOCKER_IMAGE">DOCKER_IMAGE</a></td><td>registry.hub.docker.com/library/docker:latest</td></tr>

<!-- Docker --><tr class="img-main"><td>Docker</td><td><a href="trivy-DOCKER_KANIKO_IMAGE">DOCKER_KANIKO_IMAGE</a></td><td>gcr.io/kaniko-project/executor:debug</td></tr>

<!-- Docker --><tr class="img-main"><td>Docker</td><td><a href="trivy-DOCKER_SKOPEO_IMAGE">DOCKER_SKOPEO_IMAGE</a></td><td>quay.io/skopeo/stable:latest</td></tr>

<!-- Docker --><tr class="img-feat"><td>Docker</td><td><a href="trivy-DOCKER_HADOLINT_IMAGE">DOCKER_HADOLINT_IMAGE</a></td><td>registry.hub.docker.com/hadolint/hadolint:latest-alpine</td></tr>

<!-- Docker --><tr class="img-feat"><td>Docker</td><td><a href="trivy-DOCKER_LINT_IMAGE">DOCKER_LINT_IMAGE</a></td><td>registry.hub.docker.com/projectatomic/dockerfile-lint:latest</td></tr>

<!-- Docker --><tr class="img-feat"><td>Docker</td><td><a href="trivy-DOCKER_SBOM_IMAGE">DOCKER_SBOM_IMAGE</a></td><td>registry.hub.docker.com/anchore/syft:debug</td></tr>

<!-- Docker --><tr class="img-feat"><td>Docker</td><td><a href="trivy-DOCKER_TRIVY_IMAGE">DOCKER_TRIVY_IMAGE</a></td><td>registry.hub.docker.com/aquasec/trivy:latest</td></tr>

<!-- Gitleaks --><tr class="img-main"><td>Gitleaks</td><td><a href="trivy-GITLEAKS_IMAGE">GITLEAKS_IMAGE</a></td><td>registry.hub.docker.com/zricethezav/gitleaks:latest</td></tr>

<!-- GNU Make --><tr class="img-main"><td>GNU Make</td><td><a href="trivy-MAKE_IMAGE">MAKE_IMAGE</a></td><td>registry.hub.docker.com/alpine/make</td></tr>

<!-- Go --><tr class="img-main"><td>Go</td><td><a href="trivy-GO_IMAGE">GO_IMAGE</a></td><td>registry.hub.docker.com/library/golang:buster</td></tr>

<!-- Go --><tr class="img-feat"><td>Go</td><td><a href="trivy-GO_CI_LINT_IMAGE">GO_CI_LINT_IMAGE</a></td><td>registry.hub.docker.com/golangci/golangci-lint:latest-alpine</td></tr>

<!-- Go --><tr class="img-feat"><td>Go</td><td><a href="trivy-GO_SBOM_IMAGE">GO_SBOM_IMAGE</a></td><td>registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest</td></tr>

<!-- Google Cloud --><tr class="img-main"><td>Google Cloud</td><td><a href="trivy-GCP_CLI_IMAGE">GCP_CLI_IMAGE</a></td><td>gcr.io/google.com/cloudsdktool/cloud-sdk:latest</td></tr>

<!-- Gradle --><tr class="img-main"><td>Gradle</td><td><a href="trivy-GRADLE_IMAGE">GRADLE_IMAGE</a></td><td>registry.hub.docker.com/library/gradle:latest</td></tr>

<!-- Helm --><tr class="img-main"><td>Helm</td><td><a href="trivy-HELM_CLI_IMAGE">HELM_CLI_IMAGE</a></td><td>registry.hub.docker.com/alpine/helm:latest</td></tr>

<!-- Helm --><tr class="img-feat"><td>Helm</td><td><a href="trivy-HELM_KUBE_SCORE_IMAGE">HELM_KUBE_SCORE_IMAGE</a></td><td>registry.hub.docker.com/zegl/kube-score</td></tr>

<!-- Helm --><tr class="img-feat"><td>Helm</td><td><a href="trivy-HELM_YAMLLINT_IMAGE">HELM_YAMLLINT_IMAGE</a></td><td>registry.hub.docker.com/cytopia/yamllint</td></tr>

<!-- k6 --><tr class="img-main"><td>k6</td><td><a href="trivy-K6_IMAGE">K6_IMAGE</a></td><td>registry.hub.docker.com/loadimpact/k6:latest</td></tr>

<!-- Kubernetes --><tr class="img-main"><td>Kubernetes</td><td><a href="trivy-K8S_KUBECTL_IMAGE">K8S_KUBECTL_IMAGE</a></td><td>registry.hub.docker.com/bitnami/kubectl:latest</td></tr>

<!-- Kubernetes --><tr class="img-feat"><td>Kubernetes</td><td><a href="trivy-  K8S_KUBE_SCORE_IMAGE">  K8S_KUBE_SCORE_IMAGE</a></td><td>registry.hub.docker.com/zegl/kube-score:latest-kustomize</td></tr>

<!-- Maven --><tr class="img-main"><td>Maven</td><td><a href="trivy-MAVEN_IMAGE">MAVEN_IMAGE</a></td><td>registry.hub.docker.com/library/maven:latest</td></tr>

<!-- MkDocs --><tr class="img-feat"><td>MkDocs</td><td><a href="trivy-MKD_LYCHEE_IMAGE">MKD_LYCHEE_IMAGE</a></td><td>registry.hub.docker.com/lycheeverse/lychee:latest</td></tr>

<!-- MkDocs --><tr class="img-main"><td>MkDocs</td><td><a href="trivy-MKD_IMAGE">MKD_IMAGE</a></td><td>registry.hub.docker.com/polinux/mkdocs:latest</td></tr>

<!-- MobSF --><tr class="img-main"><td>MobSF</td><td><a href="trivy-MOBSF_CLIENT_IMAGE">MOBSF_CLIENT_IMAGE</a></td><td>registry.hub.docker.com/dwdraju/alpine-curl-jq</td></tr>

<!-- Node.js --><tr class="img-main"><td>Node.js</td><td><a href="trivy-NODE_IMAGE">NODE_IMAGE</a></td><td>registry.hub.docker.com/library/node:lts-alpine</td></tr>

<!-- OpenShift --><tr class="img-main"><td>OpenShift</td><td><a href="trivy-OS_CLI_IMAGE">OS_CLI_IMAGE</a></td><td>quay.io/openshift/origin-cli:latest</td></tr>

<!-- PHP --><tr class="img-main"><td>PHP</td><td><a href="trivy-PHP_IMAGE">PHP_IMAGE</a></td><td>registry.hub.docker.com/library/php:latest</td></tr>

<!-- Postman --><tr class="img-main"><td>Postman</td><td><a href="trivy-POSTMAN_IMAGE">POSTMAN_IMAGE</a></td><td>registry.hub.docker.com/postman/newman:latest</td></tr>

<!-- Puppeteer --><tr class="img-main"><td>Puppeteer</td><td><a href="trivy-PUPPETEER_IMAGE">PUPPETEER_IMAGE</a></td><td>ghcr.io/puppeteer/puppeteer:latest</td></tr>

<!-- Python --><tr class="img-main"><td>Python</td><td><a href="trivy-PYTHON_IMAGE">PYTHON_IMAGE</a></td><td>registry.hub.docker.com/library/python:3</td></tr>

<!-- Robot Framework --><tr class="img-main"><td>Robot Framework</td><td><a href="trivy-ROBOT_BASE_IMAGE">ROBOT_BASE_IMAGE</a></td><td>registry.hub.docker.com/ppodgorsek/robot-framework:latest</td></tr>

<!-- S3 (Simple Storage Service) --><tr class="img-main"><td>S3 (Simple Storage Service)</td><td><a href="trivy-S3_CMD_IMAGE">S3_CMD_IMAGE</a></td><td>registry.hub.docker.com/d3fk/s3cmd:latest</td></tr>

<!-- Scala/SBT --><tr class="img-main"><td>Scala/SBT</td><td><a href="trivy-SBT_IMAGE">SBT_IMAGE</a></td><td>registry.hub.docker.com/sbtscala/scala-sbt:17.0.2_1.6.2_3.1.3</td></tr>

<!-- Scala/SBT --><tr class="img-feat"><td>Scala/SBT</td><td><a href="trivy-SBT_SBOM_IMAGE">SBT_SBOM_IMAGE</a></td><td>registry.hub.docker.com/anchore/syft:debug</td></tr>

<!-- semantic-release --><tr class="img-main"><td>semantic-release</td><td><a href="trivy-SEMREL_IMAGE">SEMREL_IMAGE</a></td><td>registry.hub.docker.com/library/node:latest</td></tr>

<!-- SonarQube --><tr class="img-main"><td>SonarQube</td><td><a href="trivy-SONAR_SCANNER_IMAGE">SONAR_SCANNER_IMAGE</a></td><td>registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest</td></tr>

<!-- SQLFluff lint --><tr class="img-main"><td>SQLFluff lint</td><td><a href="trivy-SQLFLUFF_IMAGE">SQLFLUFF_IMAGE</a></td><td>registry.hub.docker.com/sqlfluff/sqlfluff:latest</td></tr>

<!-- Terraform --><tr class="img-main"><td>Terraform</td><td><a href="trivy-TF_IMAGE">TF_IMAGE</a></td><td>registry.hub.docker.com/hashicorp/terraform:light</td></tr>

<!-- Terraform --><tr class="img-feat"><td>Terraform</td><td><a href="trivy-TF_CHECKOV_IMAGE">TF_CHECKOV_IMAGE</a></td><td>registry.hub.docker.com/bridgecrew/checkov</td></tr>

<!-- Terraform --><tr class="img-feat"><td>Terraform</td><td><a href="trivy-TF_INFRACOST_IMAGE">TF_INFRACOST_IMAGE</a></td><td>registry.hub.docker.com/infracost/infracost</td></tr>

<!-- Terraform --><tr class="img-feat"><td>Terraform</td><td><a href="trivy-TF_TFLINT_IMAGE">TF_TFLINT_IMAGE</a></td><td>ghcr.io/terraform-linters/tflint:latest</td></tr>

<!-- Terraform --><tr class="img-feat"><td>Terraform</td><td><a href="trivy-TF_TFSEC_IMAGE">TF_TFSEC_IMAGE</a></td><td>registry.hub.docker.com/aquasec/tfsec-ci</td></tr>

<!-- Test SSL --><tr class="img-main"><td>Test SSL</td><td><a href="trivy-TESTSSL_IMAGE">TESTSSL_IMAGE</a></td><td>registry.hub.docker.com/drwetter/testssl.sh:latest</td></tr>