diff --git a/CHANGELOG.md b/CHANGELOG.md
index f0e4b0bcbee4e26143bd15d41fda04b5912c7959..0b525e4f4abbedb61a7029a916fbf6c376414ebe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,65 @@
-# [5.12.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.11.1...5.12.0) (2024-08-29)
+# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26)
+
+
+### Code Refactoring
+
+* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://gitlab.com/to-be-continuous/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
+
+
+### BREAKING CHANGES
+
+* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
+
+## [5.14.1](https://gitlab.com/to-be-continuous/docker/compare/5.14.0...5.14.1) (2024-11-02)
+
+
+### Bug Fixes
+
+* limit security reports access to developer role or higher ([29a3173](https://gitlab.com/to-be-continuous/docker/commit/29a3173e7393ad84df324a34cd8cdc17ab3cac14))
+
+# [5.14.0](https://gitlab.com/to-be-continuous/docker/compare/5.13.3...5.14.0) (2024-11-01)
+
+
+### Features
+
+* **mirror:** add support for DOCKER_REGISTRY_MIRROR_USER/PASSWORD vars ([76c9d16](https://gitlab.com/to-be-continuous/docker/commit/76c9d1699fb5a6c03b827c8b035314e4873d173b))
+
+## [5.13.3](https://gitlab.com/to-be-continuous/docker/compare/5.13.2...5.13.3) (2024-10-24)
+
+
+### Bug Fixes
+
+* set trivy artifact expiration ([5854b42](https://gitlab.com/to-be-continuous/docker/commit/5854b428f1007c7cde90ad836fba6b9cbcc2a251))
+
+## [5.13.2](https://gitlab.com/to-be-continuous/docker/compare/5.13.1...5.13.2) (2024-10-04)
+
+
+### Bug Fixes
+
+* **trivy:** use --pkg-types instead of deprecated --vuln-type option ([76d0f3f](https://gitlab.com/to-be-continuous/docker/commit/76d0f3f506278028eebb3a526322ae205f347761))
+
+## [5.13.1](https://gitlab.com/to-be-continuous/docker/compare/5.13.0...5.13.1) (2024-09-21)
+
+
+### Bug Fixes
+
+* allow Skopeo to inherit Docker auth config ([9bb198e](https://gitlab.com/to-be-continuous/docker/commit/9bb198ef051fc53decf5e7a79970c6a1f5204567))
+
+# [5.13.0](https://gitlab.com/to-be-continuous/docker/compare/5.12.1...5.13.0) (2024-09-15)
+
+
+### Features
+
+* **trivy:** enable comprehensive priority ([d26a665](https://gitlab.com/to-be-continuous/docker/commit/d26a6659d9c184455f4c6473154621a50af4b6e9))
+
+## [5.12.1](https://gitlab.com/to-be-continuous/docker/compare/5.12.0...5.12.1) (2024-09-12)
+
+
+### Bug Fixes
+
+* wrong default value for DOCKER_TRIVY_ARGS ([1b84a79](https://gitlab.com/to-be-continuous/docker/commit/1b84a792b86bcae5dec8e9a4c4d9f35deb55ee98))
+
+# [5.12.0](https://gitlab.com/to-be-continuous/docker/compare/5.11.1...5.12.0) (2024-08-26)
### Features
diff --git a/README.md b/README.md
index 71b3daac4e704a7125b88a88b703a737e2fad620..6ae8924867071ca8471bb461e1cac4b751f79ff7 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/docker'
- ref: '5.12.0'
+ ref: '6.0.0'
file: '/templates/gitlab-ci-docker.yml'
variables:
@@ -136,6 +136,16 @@ If you use **different registries** for snapshot and release images, you shall u
| :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry |
| :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD` | Docker registry password for release image registry |
+#### Using a registry mirror during image builds
+
+You can provide a URL for a mirror registry of `https://index.docker.io` for use during image builds (:warning: `kaniko` and `dind` options only), and optionally with credentials for the mirror, using the following variables:
+
+| Input / Variable | Description |
+| -------------------------------------------- | ------------------------------------------------ |
+| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use |
+| :lock: `DOCKER_REGISTRY_MIRROR_USER` | Docker registry username for the mirror registry |
+| :lock: `DOCKER_REGISTRY_MIRROR_PASSWORD` | Docker registry password for the mirror registry |
+
#### Setting your own Docker configuration file (advanced)
There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):
@@ -163,6 +173,8 @@ In addition to you own defined variables, you may use the following variables (p
- `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE` variable)
- `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables)
- `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE` variable)
+- `${docker_mirror_authent_token}`: the authentication token required by the mirror registry (computed from configured `DOCKER_REGISTRY_MIRROR_USER` / `DOCKER_REGISTRY_MIRROR_PASSWORD` variables)
+- `${docker_mirror_registry_host}`: the mirror registry host (based on the configured `DOCKER_REGISTRY_MIRROR` variable)
Example 1: Docker configuration file inlined in the project repository (`.docker/config.json`) with **dynamic variables replacement**:
@@ -170,10 +182,10 @@ Example 1: Docker configuration file inlined in the project repository (`.docker
{
"auths": {
"${docker_snapshot_registry_host}": {
- "auth": "${docker_release_authent_token}"
+ "auth": "${docker_snapshot_authent_token}"
},
"${docker_release_registry_host}": {
- "auth": "${docker_snapshot_authent_token}"
+ "auth": "${docker_release_authent_token}"
},
"my-readonly-repo-to-pull": {
"auth": "${MY_OWN_REGISTRY_TOKEN}"
@@ -285,11 +297,11 @@ FROM ubuntu
RUN cd /tmp && echo "hello!"
```
-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/hadolint/)<br/>_This report is generated only if DefectDojo template is detected_ |
| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
### `docker-*-build` jobs
@@ -310,7 +322,7 @@ It is bound to the `package-build` stage, and uses the following variables:
| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
@@ -401,15 +413,15 @@ In case your image takes quite some time to be downloaded by the runner, increas
### `docker-trivy` job
-This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
+This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image.
-Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.
+Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode.
-If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.
+If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable.
```yaml
variables:
- DOCKER_TRIVY_ADDR: "https://trivy.acme.host"
+ TRIVY_SERVER: "https://trivy.acme.host"
```
It is bound to the `package-test` stage, and uses the following variables:
@@ -425,12 +437,20 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
+Examples:
+
+* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
+* `TRIVY_SERVER`: server address (enables client/server mode)
+* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
+* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
+
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
+| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
### `docker-sbom` job
@@ -459,7 +479,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):
| Input / Variable | Description | Example |
| --------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
@@ -551,7 +571,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
@@ -566,7 +586,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
.docker-base:
parallel:
@@ -594,10 +614,12 @@ In order to be able to communicate with the Vault server, the variant requires t
| Input / Variable | Description | Default value |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
-| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
-| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
@@ -619,14 +641,13 @@ With:
```yaml
include:
# main template
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
vault-base-url: "https://vault.acme.host/v1"
- # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
variables:
# Secrets managed by Vault
@@ -668,7 +689,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
# untested & unverified container image
@@ -741,7 +762,7 @@ then set the required configuration.
```yaml
include:
- - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+ - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
inputs:
# untested & unverified container image
snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"
diff --git a/bumpversion.sh b/bumpversion.sh
index 329e866dac988c049574a0a9f26ba89979c523a8..708faf434d2459d63b2bdaceada5eb32b0fd39eb 100755
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README
- sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+ sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md
# replace in template and variants
diff --git a/kicker.json b/kicker.json
index e6e285a9a6fe5ce015e8e297e5a612b37112c052..0ef843fdb54da35f388ef8617aa0d8ab5bbb4a2d 100644
--- a/kicker.json
+++ b/kicker.json
@@ -216,7 +216,7 @@
{
"id": "trivy",
"name": "Trivy",
- "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+ "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "DOCKER_TRIVY_DISABLED",
"variables": [
{
@@ -225,32 +225,10 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
- {
- "name": "DOCKER_TRIVY_ADDR",
- "type": "url",
- "description": "The Trivy server address"
- },
- {
- "name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
- "type": "enum",
- "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
- "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
- "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- },
{
"name": "DOCKER_TRIVY_ARGS",
- "description": "Additional `trivy client` arguments",
- "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
- "advanced": true
- },
- {
- "name": "DOCKER_TRIVY_DB_REPOSITORY",
- "description": "OCI repository to retrieve Trivy Database from",
- "advanced": true
- },
- {
- "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
- "description": "OCI repository to retrieve Trivy Java Database from",
+ "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
+ "default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
"advanced": true
},
{
diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml
index fee78fe138af70333e626874990b7cdab94c5f8a..2d5e82a854ff162c0a66932ed18e950ae571c304 100644
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.12.0"]
+ command: ["--service", "docker", "6.0.0"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml
index 3632573329fcbdf23a6a88be6eb6249d81e23d88..e44d381397bf604d3cbcd8ab1fffe372de910b47 100644
--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.12.0"]
+ command: ["--service", "docker", "6.0.0"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 5a06bb88dd901acfda8d6789f51ad49e567b4cf3..81e3fdb17844dfbcdfc258b79f723f47a92f195c 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.12.0"]
+ command: ["--service", "docker", "6.0.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 6a31be89ff93298a0a7cb33a6d98749361fea79e..8ae9cbaae588a9096e0432678755c4a4f19c32e1 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -158,27 +158,9 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
- trivy-addr:
- description: The Trivy server address
- default: ''
- trivy-security-level-threshold:
- description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
- options:
- - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- - LOW,MEDIUM,HIGH,CRITICAL
- - MEDIUM,HIGH,CRITICAL
- - HIGH,CRITICAL
- - CRITICAL
- default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
- description: Additional `trivy client` arguments
- default: --ignore-unfixed --vuln-type os --exit-on-eol 1
- trivy-db-repository:
- description: Custom OCI repository to retrieve Trivy Database from
- default: ''
- trivy-java-db-repository:
- description: Custom Java DB repository path
- default: ''
+ description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
+ default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
@@ -287,11 +269,9 @@ variables:
DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
- DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
- DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
- DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
+ DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
# SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -327,8 +307,6 @@ variables:
DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
- DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
- DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
# ==================================================
@@ -551,6 +529,22 @@ stages:
done
}
+ # simple JSON merge (used in Skopeo job only)
+ function merge_json() {
+ python3 -c "import json,sys
+ def merge(a,b):
+ for key in b:
+ if key in a and isinstance(a[key],dict) and isinstance(b[key],dict): a[key]=merge(a[key],b[key])
+ else: a[key]=b[key]
+ return a
+ def mergef(*files):
+ res={}
+ for f in files:
+ with open(f,'r') as rd: res=merge(res,json.load(rd))
+ return res
+ print(json.dumps(mergef(*sys.argv[1:])))" "$@"
+ }
+
function wait_for_docker_daemon() {
log_info "Wait for Docker daemon..."
# shellcheck disable=SC2034
@@ -582,8 +576,19 @@ stages:
export docker_release_authent_token
export docker_release_registry_host
- docker_snapshot_config_json=$(echo -n "{\"auths\":{\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
- docker_release_config_json=$(echo -n "{\"auths\":{\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
+ if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]]
+ then
+ docker_mirror_authent_token=$(echo -n "$DOCKER_REGISTRY_MIRROR_USER:$DOCKER_REGISTRY_MIRROR_PASSWORD" | base64 | tr -d '\n')
+ # shellcheck disable=SC2001
+ docker_mirror_registry_host=$(echo "$DOCKER_REGISTRY_MIRROR" | sed "s|^https*://||" | cut -d/ -f1)
+ export docker_mirror_authent_token
+ export docker_mirror_registry_host
+
+ docker_mirror_config_json="\"$docker_mirror_registry_host\":{\"auth\":\"$docker_mirror_authent_token\"},"
+ fi
+
+ docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
+ docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
# Create the configuration file for Docker and Kaniko
BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
@@ -595,10 +600,16 @@ stages:
echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
fi
- # Create the configuration file for Skopeo
- mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
- echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
- echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+ # Create the configuration files for Skopeo
+ if command -v skopeo > /dev/null
+ then
+ mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
+ # use same auth config as the build tool for the source image
+ cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
+ # use a merged auth config for the destination image
+ echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
+ merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+ fi
log_info "Docker authentication configured for \\e[33;1m${docker_snapshot_registry_host}\\e[0m"
}
@@ -701,7 +712,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.12.0"]
+ command: ["--service", "docker", "6.0.0"]
before_script:
- !reference [.docker-scripts]
@@ -737,7 +748,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "docker", "5.12.0"]
+ command: ["--service", "docker", "6.0.0"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
@@ -786,6 +797,7 @@ docker-hadolint:
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
+ access: developer
when: always
reports:
codequality:
@@ -998,27 +1010,23 @@ docker-trivy:
export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
- if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
- log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
- trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}
- export trivy_opts="image"
- else
- log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
- export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
- fi
- # Add common trivy arguments
- # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
- export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
- # GitLab format (no fail)
- trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
- # JSON format (no fail)
- if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
- then
- trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
+ if [[ -z "$TRIVY_SERVER" ]]; then
+ log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
- # console output (fail)
- trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
+ # Generate the native JSON report that can later be converted to other formats
+ trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
+
+ # Generate a report in the GitLab format
+ trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
+
+ # console output
+ trivy convert --format table reports/docker-trivy-${basename}.native.json
+
+ exit $exit_code
artifacts:
+ name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+ expire_in: 1 day
+ access: developer
when: always
paths:
- "reports/docker-trivy-*"