Created
October 4, 2022 19:20
-
-
Save rytsh/b248c3fdb9f50b2f28646b2db2b0b734 to your computer and use it in GitHub Desktop.
trivy check
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security scan with trivy | |
| security:trivy: | |
| stage: security | |
| variables: | |
| GIT_STRATEGY: none | |
| image: | |
| name: $TRIVY_IMAGE_CUSTOM | |
| entrypoint: [""] | |
| cache: | |
| key: trivy-cache | |
| paths: | |
| - .trivycache/ | |
| artifacts: | |
| when: always | |
| expire_in: 2 hrs | |
| paths: | |
| - gl-codequality-report.json | |
| - report.html | |
| reports: | |
| codequality: gl-codequality-report.json | |
| container_scanning: gl-container-scanning-report.json | |
| script: | |
| - "echo '########### Start Security Test #########'" | |
| - crane --insecure auth login $DOCKER_REGISTRY -u $DOCKER_REGISTRY_USER -p $DOCKER_REGISTRY_PASS | |
| - crane --insecure pull $DOCKER_REGISTRY/$DOCKER_IMAGE_PREFIX/$DOCKER_IMAGE_NAME:$PIPELINE_IMAGE_ID image.tar | |
| # get ignore file, if not exist skip | |
| - curl -fksSLO ${CI_SERVER_URL}/xxx/raw/master/.trivyignore || true | |
| - trivy --version | |
| # cache cleanup is needed when scanning images with the same tags, it does not remove the database | |
| - time trivy image --clear-cache | |
| # update vulnerabilities db | |
| - time trivy --cache-dir .trivycache/ image --download-db-only --no-progress | |
| # Prints full report | |
| - time trivy --cache-dir .trivycache/ image --input image.tar --exit-code 0 --no-progress | |
| # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there | |
| - time trivy -q --cache-dir .trivycache/ image --input image.tar --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl" | |
| --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" | |
| # Report code-quality | |
| - time trivy -q --cache-dir .trivycache/ image --input image.tar --exit-code 0 --no-progress --format template --template "@/contrib/gitlab-codequality.tpl" | |
| --output "$CI_PROJECT_DIR/gl-codequality-report.json" | |
| # Report html | |
| - time trivy -q --cache-dir .trivycache/ image --input image.tar --exit-code 0 --no-progress --format template --template "@/contrib/html.tpl" | |
| --output "$CI_PROJECT_DIR/report.html" | |
| # Fail on critical vulnerabilities | |
| - time trivy -q --cache-dir .trivycache/ image --input image.tar --exit-code 1 --severity CRITICAL --no-progress | |
| - "echo '########### Complete Security Test #########'" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment