diff --git a/README.md b/README.md index c18c187f64b794e3c2e6cd64863b50c129f34846..38b4fda967a7742c9bdb67a9bf3c29725349f3a7 100644 --- a/README.md +++ b/README.md @@ -283,9 +283,9 @@ In case your image takes quite some time to be downloaded by the runner, increas This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image. -:warning: As presented below, this job is enabled only if you specify a Trivy server address with the `DOCKER_TRIVY_ADDR` environment variable. +Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode. -A Trivy server has been deployed internally. If you want to use it, you can add the following variable definition to you `.gitlab-ci.yml`: +If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable. ```yaml variables: @@ -297,7 +297,7 @@ It is bound to the `package-test` stage, and uses the following variables: | Name | Description | Default value | | ---------------------- | -------------------------------------- | ----------------- | | `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `aquasec/trivy:latest` | -| `DOCKER_TRIVY_ADDR` | The Trivy server address | _(none: disabled by default)_ | +| `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ | | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis | _(none)_ | | `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index d2f3310e0ecde256b2ce7fa8213c57b461291cf2..039466a67ee24cf61c054aac5377fc03e0352d33 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -605,28 +605,44 @@ docker-trivy: name: $DOCKER_TRIVY_IMAGE entrypoint: [""] stage: package-test + variables: + TRIVY_CACHE_DIR: ".trivycache/" script: | + # cache cleanup is needed when scanning images with the same tags, it does not remove the database + trivy image --clear-cache export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}} export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}} export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') mkdir -p ./trivy + if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then + log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" + trivy image --download-db-only + export trivy_opts="image" + else + log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" + export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}" + fi + # Add common trivy arguments + export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}" # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0) - trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE - trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE - trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE + trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./trivy/${FILENAME}.xml --exit-code 0 $DOCKER_SNAPSHOT_IMAGE + trivy ${trivy_opts} --format json --output ./trivy/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE + trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE artifacts: when: always paths: - trivy/ reports: junit: "trivy/*.xml" + cache: + paths: + - .trivycache/ rules: - if: '$DOCKER_TRIVY_DISABLED == "true"' when: never - - if: '$DOCKER_TRIVY_ADDR && ($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)' + - if: '($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)' # allow failure on development branches: - - if: $DOCKER_TRIVY_ADDR - allow_failure: true + - allow_failure: true # ==================================================