| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `docker.io/aquasec/trivy:latest`<br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)|
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Other Trivy parameters shall be configured using [Trivy environment variables](https://trivy.dev/docs/latest/references/configuration/cli/trivy_image/#options).
Examples:
*`TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
@@ -477,15 +477,15 @@ Examples:
*`TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
*`TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
It's possible to ignore some CVE by adding a `.trivyignore` file at the root of the project (see [official documentation](https://trivy.dev/latest/docs/configuration/filtering/#trivyignore) for syntax).
It's possible to ignore some CVE by adding a `.trivyignore` file at the root of the project (see [official documentation](https://trivy.dev/docs/latest/configuration/filtering/#trivyignore) for syntax).
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| `reports/docker-trivy-*.native.json` | Native Trivy report format (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab Container Security](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab Container Security](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscontainer_scanning) |
| `reports/docker-trivy-*.gitlab-codequality.json` | [Trivy report format for GitLab Code Quality](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab Code Quality](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscodequality) |
| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab Container Security](https://trivy.dev/docs/latest/tutorials/integrations/gitlab-ci/) format | [GitLab Container Security](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscontainer_scanning) |
| `reports/docker-trivy-*.gitlab-codequality.json` | [Trivy report format for GitLab Code Quality](https://trivy.dev/docs/latest/tutorials/integrations/gitlab-ci/) format | [GitLab Code Quality](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscodequality) |
default:--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive --disable-telemetry --skip-version-check
sbom-disabled:
description:Disable Software Bill of Materials
@@ -1308,7 +1308,7 @@ docker-trivy:
basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
if [[ -z "$TRIVY_SERVER" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://trivy.dev/docs/latest/references/modes/client-server/\\e[0m"
fi
# Generate the native JSON report that can later be converted to other formats
