Merge branch '30-make-the-vuln-type-trivy-argument-configurable' into 'master'

Resolve "Make the --vuln-type Trivy argument configurable" Closes #30 See merge request to-be-continuous/docker!35

Merge branch '30-make-the-vuln-type-trivy-argument-configurable' into 'master'
43443591 · Cédric OLIVIER · 4234efc3 · 15457c6e · 43443591 · 43443591
Commit 43443591 authored 2 years ago by Cédric OLIVIER
--- a/README.md
+++ b/README.md
@@ -300,7 +300,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `DOCKER_TRIVY_ADDR`    | The Trivy server address               | _(none: disabled by default)_  |
 | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
 | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |
-| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/dev/getting-started/cli/client/)  | `--ignore-unfixed` |
+| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
 ### `docker-publish` job

--- a/kicker.json
+++ b/kicker.json
@@ -165,7 +165,7 @@
        {
          "name": "DOCKER_TRIVY_ARGS",
          "description": "Additional `trivy client` arguments",
-          "default": "--ignore-unfixed",
+          "default": "--ignore-unfixed --vuln-type os",
          "advanced": true
        }
      ]

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -47,7 +47,7 @@ variables:
  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest"
-  DOCKER_TRIVY_ARGS: "--ignore-unfixed"
+  DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"
  # by default: DevOps pipeline
  PUBLISH_ON_PROD: "true"
@@ -611,9 +611,9 @@ docker-trivy:
    export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
    mkdir -p ./trivy
    # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
  artifacts:
    when: always
    paths: