diff --git a/README.md b/README.md index 41e026a086f2fea63237fc0178bcdb8dec1055ad..b2a8058d2dc6e35895f170224631cd10653e6d4b 100644 --- a/README.md +++ b/README.md @@ -403,7 +403,7 @@ It is bound to the `package-test` stage, and uses the following variables: | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | -| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database | _(none: default "ghcr.io/aquasecurity/trivy-db")_ | +| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) | In addition to a textual report in the console, this job produces the following reports, kept for one day: diff --git a/kicker.json b/kicker.json index a17e8905b20662ac08d2556a2f8c46fa8a9195bd..d23402f49b4c26126d9994d827f3a64018946abc 100644 --- a/kicker.json +++ b/kicker.json @@ -198,7 +198,7 @@ }, { "name": "DOCKER_TRIVY_DB_REPOSITORY", - "description": "Custom DB repository path", + "description": "Custom OCI repository to retrieve Trivy Database from", "advanced": true } ] diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 61699d88fb7949dfd07776a72787dc5829f1a55a..6c5802ac5a113e2c8fc163df2e66716674673b53 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -171,7 +171,7 @@ spec: description: Additional `trivy client` arguments default: --ignore-unfixed --vuln-type os --exit-on-eol 1 trivy-db-repository: - description: Custom DB repository path + description: Custom OCI repository to retrieve Trivy Database from default: '' sbom-disabled: description: Disable Software Bill of Materials @@ -930,11 +930,7 @@ docker-trivy: mkdir -p ./reports if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" - if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then - trivy image --download-db-only - else - trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY} - fi + trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} export trivy_opts="image" else log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"