Loading README.md +1 −0 Original line number Diff line number Diff line Loading @@ -272,6 +272,7 @@ It is bound to the `package-test` stage, and uses the following variables: | `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ | | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | | `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/dev/getting-started/cli/client/) | `--ignore-unfixed` | ### `docker-publish` job Loading kicker.json +6 −0 Original line number Diff line number Diff line Loading @@ -155,6 +155,12 @@ "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"], "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)", "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" }, { "name": "DOCKER_TRIVY_ARGS", "description": "Additional `trivy client` arguments", "default": "--ignore-unfixed", "advanced": true } ] } Loading templates/gitlab-ci-docker.yml +4 −3 Original line number Diff line number Diff line Loading @@ -36,6 +36,7 @@ variables: DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest" DOCKER_TRIVY_ARGS: "--ignore-unfixed" # by default: DevOps pipeline PUBLISH_ON_PROD: "true" Loading Loading @@ -613,9 +614,9 @@ docker-trivy: export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') mkdir -p ./trivy # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0) trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE artifacts: when: always paths: Loading Loading
README.md +1 −0 Original line number Diff line number Diff line Loading @@ -272,6 +272,7 @@ It is bound to the `package-test` stage, and uses the following variables: | `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ | | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | | `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/dev/getting-started/cli/client/) | `--ignore-unfixed` | ### `docker-publish` job Loading
kicker.json +6 −0 Original line number Diff line number Diff line Loading @@ -155,6 +155,12 @@ "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"], "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)", "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" }, { "name": "DOCKER_TRIVY_ARGS", "description": "Additional `trivy client` arguments", "default": "--ignore-unfixed", "advanced": true } ] } Loading
templates/gitlab-ci-docker.yml +4 −3 Original line number Diff line number Diff line Loading @@ -36,6 +36,7 @@ variables: DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest" DOCKER_TRIVY_ARGS: "--ignore-unfixed" # by default: DevOps pipeline PUBLISH_ON_PROD: "true" Loading Loading @@ -613,9 +614,9 @@ docker-trivy: export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') mkdir -p ./trivy # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0) trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE artifacts: when: always paths: Loading
