Skip to content
Snippets Groups Projects
Commit 88348c8b authored by Bertrand Goareguer's avatar Bertrand Goareguer Committed by Pierre Smeyers
Browse files

feat(Trivy): allow Trivy to be run in standalone mode

parent 716cd2d5
Branches
Tags
No related merge requests found
......@@ -283,9 +283,9 @@ In case your image takes quite some time to be downloaded by the runner, increas
This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
:warning: As presented below, this job is enabled only if you specify a Trivy server address with the `DOCKER_TRIVY_ADDR` environment variable.
Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.
A Trivy server has been deployed internally. If you want to use it, you can add the following variable definition to you `.gitlab-ci.yml`:
If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.
```yaml
variables:
......@@ -297,7 +297,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| Name | Description | Default value |
| ---------------------- | -------------------------------------- | ----------------- |
| `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `aquasec/trivy:latest` |
| `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ |
| `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ |
| `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ |
| `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
......
......@@ -605,28 +605,44 @@ docker-trivy:
name: $DOCKER_TRIVY_IMAGE
entrypoint: [""]
stage: package-test
variables:
TRIVY_CACHE_DIR: ".trivycache/"
script: |
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
trivy image --clear-cache
export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}
export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./trivy
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
fi
# Add common trivy arguments
export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}"
# the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)
trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./trivy/${FILENAME}.xml --exit-code 0 $DOCKER_SNAPSHOT_IMAGE
trivy ${trivy_opts} --format json --output ./trivy/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE
trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
artifacts:
when: always
paths:
- trivy/
reports:
junit: "trivy/*.xml"
cache:
paths:
- .trivycache/
rules:
- if: '$DOCKER_TRIVY_DISABLED == "true"'
when: never
- if: '$DOCKER_TRIVY_ADDR && ($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'
- if: '($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'
# allow failure on development branches:
- if: $DOCKER_TRIVY_ADDR
allow_failure: true
- allow_failure: true
# ==================================================
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment