From 9b2bd783a646c559b4097fc1e97ad73386359de4 Mon Sep 17 00:00:00 2001 From: Marco Nacken <marconacken@web.de> Date: Thu, 28 Mar 2024 15:16:07 +0000 Subject: [PATCH] feat(trivy): add variable for setting trivy db repository path --- README.md | 2 ++ kicker.json | 5 +++++ templates/gitlab-ci-docker.yml | 10 +++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 17b60aa..69567d6 100644 --- a/README.md +++ b/README.md @@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables: | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | +| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database | _(none: default "ghcr.io/aquasecurity/trivy-db")_ | + In addition to a textual report in the console, this job produces the following reports, kept for one day: diff --git a/kicker.json b/kicker.json index 6e62433..fc831df 100644 --- a/kicker.json +++ b/kicker.json @@ -196,6 +196,11 @@ "description": "Additional `trivy client` arguments", "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1", "advanced": true + }, + { + "name": "DOCKER_TRIVY_DB_REPOSITORY", + "description": "Custom DB repository path", + "advanced": true } ] }, diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index e480847..dba6029 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -170,6 +170,9 @@ spec: trivy-args: description: Additional `trivy client` arguments default: --ignore-unfixed --vuln-type os --exit-on-eol 1 + trivy-db-repository: + description: Custom DB repository path + default: '' sbom-disabled: description: Disable Software Bill of Materials type: boolean @@ -245,6 +248,7 @@ variables: DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]] DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]] DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]] + DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]] # SBOM genenration image and arguments DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]] @@ -926,7 +930,11 @@ docker-trivy: mkdir -p ./reports if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" - trivy image --download-db-only + if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then + trivy image --download-db-only + else + trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY} + fi export trivy_opts="image" else log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" -- GitLab