Commit 43443591 authored by Cédric OLIVIER's avatar Cédric OLIVIER
Browse files

Merge branch '30-make-the-vuln-type-trivy-argument-configurable' into 'master' 

Resolve "Make the --vuln-type Trivy argument configurable"

Closes #30

See merge request to-be-continuous/docker!35
parents 4234efc3 15457c6e

README.md

+1 −1
Original line number Diff line number Diff line
@@ -300,7 +300,7 @@ It is bound to the `package-test` stage, and uses the following variables: 
| `DOCKER_TRIVY_ADDR`    | The Trivy server address               | _(none: disabled by default)_  |

| `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |

| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |

| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/dev/getting-started/cli/client/)  | `--ignore-unfixed` |

| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |



### `docker-publish` job

kicker.json

+1 −1
Original line number Diff line number Diff line
@@ -165,7 +165,7 @@ 
        {

          "name": "DOCKER_TRIVY_ARGS",

          "description": "Additional `trivy client` arguments",

          "default": "--ignore-unfixed",

          "default": "--ignore-unfixed --vuln-type os",

          "advanced": true

        }

      ]

templates/gitlab-ci-docker.yml

+4 −4
Original line number Diff line number Diff line
@@ -47,7 +47,7 @@ variables: 


  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"

  DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest"

  DOCKER_TRIVY_ARGS: "--ignore-unfixed"

  DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"



  # by default: DevOps pipeline

  PUBLISH_ON_PROD: "true"
@@ -611,9 +611,9 @@ docker-trivy: 
    export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    mkdir -p ./trivy

    # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE

  artifacts:

    when: always

    paths: