Skip to content
Snippets Groups Projects
Commit 775b810a authored by Cédric OLIVIER's avatar Cédric OLIVIER
Browse files

Merge branch 'master' into 'master'

Add variable for setting trivy db repository path

Closes #73

See merge request to-be-continuous/docker!107
parents 544e87f6 9b2bd783
No related branches found
No related tags found
No related merge requests found
...@@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables: ...@@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database | _(none: default "ghcr.io/aquasecurity/trivy-db")_ |
In addition to a textual report in the console, this job produces the following reports, kept for one day: In addition to a textual report in the console, this job produces the following reports, kept for one day:
......
...@@ -196,6 +196,11 @@ ...@@ -196,6 +196,11 @@
"description": "Additional `trivy client` arguments", "description": "Additional `trivy client` arguments",
"default": "--ignore-unfixed --vuln-type os --exit-on-eol 1", "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
"advanced": true "advanced": true
},
{
"name": "DOCKER_TRIVY_DB_REPOSITORY",
"description": "Custom DB repository path",
"advanced": true
} }
] ]
}, },
......
...@@ -170,6 +170,9 @@ spec: ...@@ -170,6 +170,9 @@ spec:
trivy-args: trivy-args:
description: Additional `trivy client` arguments description: Additional `trivy client` arguments
default: --ignore-unfixed --vuln-type os --exit-on-eol 1 default: --ignore-unfixed --vuln-type os --exit-on-eol 1
trivy-db-repository:
description: Custom DB repository path
default: ''
sbom-disabled: sbom-disabled:
description: Disable Software Bill of Materials description: Disable Software Bill of Materials
type: boolean type: boolean
...@@ -245,6 +248,7 @@ variables: ...@@ -245,6 +248,7 @@ variables:
DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]] DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]] DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]] DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
# SBOM genenration image and arguments # SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]] DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
...@@ -926,7 +930,11 @@ docker-trivy: ...@@ -926,7 +930,11 @@ docker-trivy:
mkdir -p ./reports mkdir -p ./reports
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then
trivy image --download-db-only trivy image --download-db-only
else
trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY}
fi
export trivy_opts="image" export trivy_opts="image"
else else
log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment