Commit 9b2bd783 authored by Marco Nacken's avatar Marco Nacken Committed by Cédric OLIVIER
Browse files

feat(trivy): add variable for setting trivy db repository path

parent 544e87f6

README.md

+2 −0
Original line number Diff line number Diff line
@@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables: 
| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |

| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis          | _(none)_ |

| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |

| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database  | _(none: default "ghcr.io/aquasecurity/trivy-db")_ |





In addition to a textual report in the console, this job produces the following reports, kept for one day:

kicker.json

+5 −0
Original line number Diff line number Diff line
@@ -196,6 +196,11 @@ 
          "description": "Additional `trivy client` arguments",

          "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",

          "advanced": true

        },

        {

          "name": "DOCKER_TRIVY_DB_REPOSITORY",

          "description": "Custom DB repository path",

          "advanced": true

        }

      ]

    },

templates/gitlab-ci-docker.yml

+9 −1
Original line number Diff line number Diff line
@@ -170,6 +170,9 @@ spec: 
    trivy-args:

      description: Additional `trivy client` arguments

      default: --ignore-unfixed --vuln-type os --exit-on-eol 1

    trivy-db-repository:

      description: Custom DB repository path 

      default: ''

    sbom-disabled:

      description: Disable Software Bill of Materials

      type: boolean
@@ -245,6 +248,7 @@ variables: 
  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]

  DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]



  # SBOM genenration image and arguments

  DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -926,7 +930,11 @@ docker-trivy: 
    mkdir -p ./reports

    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then

      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"

      if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then

        trivy image --download-db-only

      else

        trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY}

      fi

      export trivy_opts="image"

    else

      log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"