Commit 671b7814 authored by Bertrand Goareguer's avatar Bertrand Goareguer Committed by Pierre Smeyers
Browse files

fix(Trivy): trivy scan fails when issues are found

parent 432f9efb

README.md

+1 −1
Original line number Diff line number Diff line
@@ -247,7 +247,7 @@ It is bound to the `test` stage, and uses the following variables: 
| ---------------- | ----------------------------------------------------------------------- | ----------------- |

| `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job                                 | _none_ (enabled) |

| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |

| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--pkg-types library --detection-priority comprehensive`   |

| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive`   |



In addition to a textual report in the console, this job produces the following reports, kept for one day:

kicker.json

+1 −1
Original line number Diff line number Diff line
@@ -145,7 +145,7 @@ 
        {

          "name": "PYTHON_TRIVY_ARGS",

          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",

          "default": "--pkg-types library --detection-priority comprehensive",

          "default": "--ignore-unfixed --pkg-types library --detection-priority comprehensive",

          "advanced": true

        }

      ]

templates/gitlab-ci-python.yml

+2 −2
Original line number Diff line number Diff line
@@ -109,7 +109,7 @@ spec: 
      default: ''

    trivy-args:

      description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)

      default: --pkg-types library --detection-priority comprehensive

      default: --ignore-unfixed --pkg-types library --detection-priority comprehensive

    sbom-disabled:

      description: Disable Software Bill of Materials

      type: boolean
@@ -1303,7 +1303,7 @@ py-trivy: 
      then

        $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 0 --list-all-pkgs --format json --output reports/py-trivy.trivy.json ./reports/

      fi

      $python_trivy fs ${PYTHON_TRIVY_ARGS} --format table ./reports/

      $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 1 --format table ./reports/

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day