feat(Trivy): allow Trivy to be run in standalone mode

88348c8b · Bertrand Goareguer · Pierre Smeyers · 716cd2d5 · 88348c8b · 88348c8b
Commit 88348c8b authored 2 years ago by Bertrand Goareguer Committed by Pierre Smeyers 2 years ago
--- a/README.md
+++ b/README.md
@@ -283,9 +283,9 @@ In case your image takes quite some time to be downloaded by the runner, increas

 This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.

-:warning: As presented below, this job is enabled only if you specify a Trivy server address with the `DOCKER_TRIVY_ADDR` environment variable.
+Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.

-A Trivy server has been deployed internally. If you want to use it, you can add the following variable definition to you `.gitlab-ci.yml`:
+If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.

 ```yaml
 variables:
@@ -297,7 +297,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | Name                   | Description                            | Default value     |
 | ---------------------- | -------------------------------------- | ----------------- |
 | `DOCKER_TRIVY_IMAGE`   | The docker image used to scan images with Trivy | `aquasec/trivy:latest` |
-| `DOCKER_TRIVY_ADDR`    | The Trivy server address               | _(none: disabled by default)_  |
+| `DOCKER_TRIVY_ADDR`    | The Trivy server address (for client/server mode)              | _(none: standalone mode)_  |
 | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
 | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |
 | `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -605,28 +605,44 @@ docker-trivy:
    name: $DOCKER_TRIVY_IMAGE
    entrypoint: [""]
  stage: package-test
+  variables:
+    TRIVY_CACHE_DIR: ".trivycache/"
  script: |
+    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
+    trivy image --clear-cache
    export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}
    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
    export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
    mkdir -p ./trivy
+    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
+      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
+      trivy image --download-db-only
+      export trivy_opts="image"
+    else
+      log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
+      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
+    fi
+    # Add common trivy arguments
+    export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}"
    # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./trivy/${FILENAME}.xml --exit-code 0  $DOCKER_SNAPSHOT_IMAGE
+    trivy ${trivy_opts} --format json --output ./trivy/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE
+    trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
  artifacts:
    when: always
    paths:
    - trivy/
    reports:
      junit: "trivy/*.xml"
+  cache:
+    paths:
+      - .trivycache/
  rules:
    - if: '$DOCKER_TRIVY_DISABLED == "true"'
      when: never
-    - if: '$DOCKER_TRIVY_ADDR && ($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'
+    - if: '($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'
    # allow failure on development branches:
-    - if: $DOCKER_TRIVY_ADDR
-      allow_failure: true
+    - allow_failure: true


 # ==================================================