Skip to content
Snippets Groups Projects
Commit 9b2bd783 authored by Marco Nacken's avatar Marco Nacken Committed by Cédric OLIVIER
Browse files

feat(trivy): add variable for setting trivy db repository path

parent 544e87f6
Branches
Tags
No related merge requests found
...@@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables: ...@@ -403,6 +403,8 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database | _(none: default "ghcr.io/aquasecurity/trivy-db")_ |
In addition to a textual report in the console, this job produces the following reports, kept for one day: In addition to a textual report in the console, this job produces the following reports, kept for one day:
......
...@@ -196,6 +196,11 @@ ...@@ -196,6 +196,11 @@
"description": "Additional `trivy client` arguments", "description": "Additional `trivy client` arguments",
"default": "--ignore-unfixed --vuln-type os --exit-on-eol 1", "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
"advanced": true "advanced": true
},
{
"name": "DOCKER_TRIVY_DB_REPOSITORY",
"description": "Custom DB repository path",
"advanced": true
} }
] ]
}, },
......
...@@ -170,6 +170,9 @@ spec: ...@@ -170,6 +170,9 @@ spec:
trivy-args: trivy-args:
description: Additional `trivy client` arguments description: Additional `trivy client` arguments
default: --ignore-unfixed --vuln-type os --exit-on-eol 1 default: --ignore-unfixed --vuln-type os --exit-on-eol 1
trivy-db-repository:
description: Custom DB repository path
default: ''
sbom-disabled: sbom-disabled:
description: Disable Software Bill of Materials description: Disable Software Bill of Materials
type: boolean type: boolean
...@@ -245,6 +248,7 @@ variables: ...@@ -245,6 +248,7 @@ variables:
DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]] DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]] DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]] DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
# SBOM genenration image and arguments # SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]] DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
...@@ -926,7 +930,11 @@ docker-trivy: ...@@ -926,7 +930,11 @@ docker-trivy:
mkdir -p ./reports mkdir -p ./reports
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then
trivy image --download-db-only
else
trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY}
fi
export trivy_opts="image" export trivy_opts="image"
else else
log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment