diff --git a/CHANGELOG.md b/CHANGELOG.md index f0e4b0bcbee4e26143bd15d41fda04b5912c7959..0b525e4f4abbedb61a7029a916fbf6c376414ebe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,65 @@ -# [5.12.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.11.1...5.12.0) (2024-08-29) +# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26) + + +### Code Refactoring + +* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://gitlab.com/to-be-continuous/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799)) + + +### BREAKING CHANGES + +* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables + +## [5.14.1](https://gitlab.com/to-be-continuous/docker/compare/5.14.0...5.14.1) (2024-11-02) + + +### Bug Fixes + +* limit security reports access to developer role or higher ([29a3173](https://gitlab.com/to-be-continuous/docker/commit/29a3173e7393ad84df324a34cd8cdc17ab3cac14)) + +# [5.14.0](https://gitlab.com/to-be-continuous/docker/compare/5.13.3...5.14.0) (2024-11-01) + + +### Features + +* **mirror:** add support for DOCKER_REGISTRY_MIRROR_USER/PASSWORD vars ([76c9d16](https://gitlab.com/to-be-continuous/docker/commit/76c9d1699fb5a6c03b827c8b035314e4873d173b)) + +## [5.13.3](https://gitlab.com/to-be-continuous/docker/compare/5.13.2...5.13.3) (2024-10-24) + + +### Bug Fixes + +* set trivy artifact expiration ([5854b42](https://gitlab.com/to-be-continuous/docker/commit/5854b428f1007c7cde90ad836fba6b9cbcc2a251)) + +## [5.13.2](https://gitlab.com/to-be-continuous/docker/compare/5.13.1...5.13.2) (2024-10-04) + + +### Bug Fixes + +* **trivy:** use --pkg-types instead of deprecated --vuln-type option ([76d0f3f](https://gitlab.com/to-be-continuous/docker/commit/76d0f3f506278028eebb3a526322ae205f347761)) + +## [5.13.1](https://gitlab.com/to-be-continuous/docker/compare/5.13.0...5.13.1) (2024-09-21) + + +### Bug Fixes + +* allow Skopeo to inherit Docker auth config ([9bb198e](https://gitlab.com/to-be-continuous/docker/commit/9bb198ef051fc53decf5e7a79970c6a1f5204567)) + +# [5.13.0](https://gitlab.com/to-be-continuous/docker/compare/5.12.1...5.13.0) (2024-09-15) + + +### Features + +* **trivy:** enable comprehensive priority ([d26a665](https://gitlab.com/to-be-continuous/docker/commit/d26a6659d9c184455f4c6473154621a50af4b6e9)) + +## [5.12.1](https://gitlab.com/to-be-continuous/docker/compare/5.12.0...5.12.1) (2024-09-12) + + +### Bug Fixes + +* wrong default value for DOCKER_TRIVY_ARGS ([1b84a79](https://gitlab.com/to-be-continuous/docker/commit/1b84a792b86bcae5dec8e9a4c4d9f35deb55ee98)) + +# [5.12.0](https://gitlab.com/to-be-continuous/docker/compare/5.11.1...5.12.0) (2024-08-26) ### Features diff --git a/README.md b/README.md index 71b3daac4e704a7125b88a88b703a737e2fad620..6ae8924867071ca8471bb461e1cac4b751f79ff7 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 # 2: set/override component inputs inputs: build-tool: buildah # ⚠ this is only an example @@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/docker' - ref: '5.12.0' + ref: '6.0.0' file: '/templates/gitlab-ci-docker.yml' variables: @@ -136,6 +136,16 @@ If you use **different registries** for snapshot and release images, you shall u | :lock: `DOCKER_REGISTRY_RELEASE_USER` | Docker registry username for release image registry | | :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD` | Docker registry password for release image registry | +#### Using a registry mirror during image builds + +You can provide a URL for a mirror registry of `https://index.docker.io` for use during image builds (:warning: `kaniko` and `dind` options only), and optionally with credentials for the mirror, using the following variables: + +| Input / Variable | Description | +| -------------------------------------------- | ------------------------------------------------ | +| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use | +| :lock: `DOCKER_REGISTRY_MIRROR_USER` | Docker registry username for the mirror registry | +| :lock: `DOCKER_REGISTRY_MIRROR_PASSWORD` | Docker registry password for the mirror registry | + #### Setting your own Docker configuration file (advanced) There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files): @@ -163,6 +173,8 @@ In addition to you own defined variables, you may use the following variables (p - `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE` variable) - `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables) - `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE` variable) +- `${docker_mirror_authent_token}`: the authentication token required by the mirror registry (computed from configured `DOCKER_REGISTRY_MIRROR_USER` / `DOCKER_REGISTRY_MIRROR_PASSWORD` variables) +- `${docker_mirror_registry_host}`: the mirror registry host (based on the configured `DOCKER_REGISTRY_MIRROR` variable) Example 1: Docker configuration file inlined in the project repository (`.docker/config.json`) with **dynamic variables replacement**: @@ -170,10 +182,10 @@ Example 1: Docker configuration file inlined in the project repository (`.docker { "auths": { "${docker_snapshot_registry_host}": { - "auth": "${docker_release_authent_token}" + "auth": "${docker_snapshot_authent_token}" }, "${docker_release_registry_host}": { - "auth": "${docker_snapshot_authent_token}" + "auth": "${docker_release_authent_token}" }, "my-readonly-repo-to-pull": { "auth": "${MY_OWN_REGISTRY_TOKEN}" @@ -285,11 +297,11 @@ FROM ubuntu RUN cd /tmp && echo "hello!" ``` -In addition to a textual report in the console, this job produces the following reports, kept for one day: +In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher: | Report | Format | Usage | | -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ | +| `reports/docker-hadolint-*.native.json` | native hadolint test report (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/hadolint/)<br/>_This report is generated only if DefectDojo template is detected_ | | `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) | ### `docker-*-build` jobs @@ -310,7 +322,7 @@ It is bound to the `package-build` stage, and uses the following variables: | `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | | `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | -This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)): +This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)): | Input / Variable | Description | Example | | --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- | @@ -401,15 +413,15 @@ In case your image takes quite some time to be downloaded by the runner, increas ### `docker-trivy` job -This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image. +This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image. -Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode. +Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode. -If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable. +If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable. ```yaml variables: - DOCKER_TRIVY_ADDR: "https://trivy.acme.host" + TRIVY_SERVER: "https://trivy.acme.host" ``` It is bound to the `package-test` stage, and uses the following variables: @@ -425,12 +437,20 @@ It is bound to the `package-test` stage, and uses the following variables: | `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ | | `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | -In addition to a textual report in the console, this job produces the following reports, kept for one day: +Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options). +Examples: + +* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) +* `TRIVY_SERVER`: server address (enables client/server mode) +* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from +* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from + +In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher: | Report | Format | Usage | | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ | -| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) | +| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ | +| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) | ### `docker-sbom` job @@ -459,7 +479,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt | `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) | | `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | -This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)): +This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)): | Input / Variable | Description | Example | | --------------------- | ----------------------------------------------------- | ----------------------------------------------------- | @@ -551,7 +571,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry: ```yaml include: - - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 inputs: snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG" release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME" @@ -566,7 +586,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u ```yaml include: - - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 .docker-base: parallel: @@ -594,10 +614,12 @@ In order to be able to communicate with the Vault server, the variant requires t | Input / Variable | Description | Default value | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` | -| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | **must be defined** | | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | -| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | -| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | +| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ | +| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ | + +By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. #### Usage @@ -619,14 +641,13 @@ With: ```yaml include: # main template - - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 # Vault variant - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0 inputs: # audience claim for JWT vault-oidc-aud: "https://vault.acme.host" vault-base-url: "https://vault.acme.host/v1" - # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable variables: # Secrets managed by Vault @@ -668,7 +689,7 @@ to use the snapshot image repository (will host your snapshot image as well as c ```yaml include: - - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 inputs: build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET # untested & unverified container image @@ -741,7 +762,7 @@ then set the required configuration. ```yaml include: - - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0 + - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0 inputs: # untested & unverified container image snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG" diff --git a/bumpversion.sh b/bumpversion.sh index 329e866dac988c049574a0a9f26ba89979c523a8..708faf434d2459d63b2bdaceada5eb32b0fd39eb 100755 --- a/bumpversion.sh +++ b/bumpversion.sh @@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." # replace in README - sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next + sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next mv -f README.md.next README.md # replace in template and variants diff --git a/kicker.json b/kicker.json index e6e285a9a6fe5ce015e8e297e5a612b37112c052..0ef843fdb54da35f388ef8617aa0d8ab5bbb4a2d 100644 --- a/kicker.json +++ b/kicker.json @@ -216,7 +216,7 @@ { "id": "trivy", "name": "Trivy", - "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis", + "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis", "disable_with": "DOCKER_TRIVY_DISABLED", "variables": [ { @@ -225,32 +225,10 @@ "default": "registry.hub.docker.com/aquasec/trivy:latest", "advanced": true }, - { - "name": "DOCKER_TRIVY_ADDR", - "type": "url", - "description": "The Trivy server address" - }, - { - "name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD", - "type": "enum", - "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"], - "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)", - "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - }, { "name": "DOCKER_TRIVY_ARGS", - "description": "Additional `trivy client` arguments", - "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1", - "advanced": true - }, - { - "name": "DOCKER_TRIVY_DB_REPOSITORY", - "description": "OCI repository to retrieve Trivy Database from", - "advanced": true - }, - { - "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY", - "description": "OCI repository to retrieve Trivy Java Database from", + "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)", + "default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive", "advanced": true }, { diff --git a/templates/gitlab-ci-docker-ecr.yml b/templates/gitlab-ci-docker-ecr.yml index fee78fe138af70333e626874990b7cdab94c5f8a..2d5e82a854ff162c0a66932ed18e950ae571c304 100644 --- a/templates/gitlab-ci-docker-ecr.yml +++ b/templates/gitlab-ci-docker-ecr.yml @@ -45,7 +45,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.12.0"] + command: ["--service", "docker", "6.0.0"] - name: "$TBC_AWS_PROVIDER_IMAGE" alias: "aws-auth-provider" id_tokens: diff --git a/templates/gitlab-ci-docker-gcp.yml b/templates/gitlab-ci-docker-gcp.yml index 3632573329fcbdf23a6a88be6eb6249d81e23d88..e44d381397bf604d3cbcd8ab1fffe372de910b47 100644 --- a/templates/gitlab-ci-docker-gcp.yml +++ b/templates/gitlab-ci-docker-gcp.yml @@ -44,7 +44,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.12.0"] + command: ["--service", "docker", "6.0.0"] - name: "$TBC_GCP_PROVIDER_IMAGE" alias: "gcp-auth-provider" variables: diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml index 5a06bb88dd901acfda8d6789f51ad49e567b4cf3..81e3fdb17844dfbcdfc258b79f723f47a92f195c 100644 --- a/templates/gitlab-ci-docker-vault.yml +++ b/templates/gitlab-ci-docker-vault.yml @@ -22,7 +22,7 @@ variables: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.12.0"] + command: ["--service", "docker", "6.0.0"] - name: "$TBC_VAULT_IMAGE" alias: "vault-secrets-provider" variables: diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 6a31be89ff93298a0a7cb33a6d98749361fea79e..8ae9cbaae588a9096e0432678755c4a4f19c32e1 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -158,27 +158,9 @@ spec: trivy-image: description: The docker image used to scan images with Trivy default: registry.hub.docker.com/aquasec/trivy:latest - trivy-addr: - description: The Trivy server address - default: '' - trivy-security-level-threshold: - description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)' - options: - - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - - LOW,MEDIUM,HIGH,CRITICAL - - MEDIUM,HIGH,CRITICAL - - HIGH,CRITICAL - - CRITICAL - default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL trivy-args: - description: Additional `trivy client` arguments - default: --ignore-unfixed --vuln-type os --exit-on-eol 1 - trivy-db-repository: - description: Custom OCI repository to retrieve Trivy Database from - default: '' - trivy-java-db-repository: - description: Custom Java DB repository path - default: '' + description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) + default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive sbom-disabled: description: Disable Software Bill of Materials type: boolean @@ -287,11 +269,9 @@ variables: DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]] DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]] - DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]] DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]] DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]] - DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]] - DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]] + DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]] # SBOM genenration image and arguments DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]] @@ -327,8 +307,6 @@ variables: DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]] DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]] DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]] - DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]] - DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]] DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]] # ================================================== @@ -551,6 +529,22 @@ stages: done } + # simple JSON merge (used in Skopeo job only) + function merge_json() { + python3 -c "import json,sys + def merge(a,b): + for key in b: + if key in a and isinstance(a[key],dict) and isinstance(b[key],dict): a[key]=merge(a[key],b[key]) + else: a[key]=b[key] + return a + def mergef(*files): + res={} + for f in files: + with open(f,'r') as rd: res=merge(res,json.load(rd)) + return res + print(json.dumps(mergef(*sys.argv[1:])))" "$@" + } + function wait_for_docker_daemon() { log_info "Wait for Docker daemon..." # shellcheck disable=SC2034 @@ -582,8 +576,19 @@ stages: export docker_release_authent_token export docker_release_registry_host - docker_snapshot_config_json=$(echo -n "{\"auths\":{\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}") - docker_release_config_json=$(echo -n "{\"auths\":{\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}") + if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]] + then + docker_mirror_authent_token=$(echo -n "$DOCKER_REGISTRY_MIRROR_USER:$DOCKER_REGISTRY_MIRROR_PASSWORD" | base64 | tr -d '\n') + # shellcheck disable=SC2001 + docker_mirror_registry_host=$(echo "$DOCKER_REGISTRY_MIRROR" | sed "s|^https*://||" | cut -d/ -f1) + export docker_mirror_authent_token + export docker_mirror_registry_host + + docker_mirror_config_json="\"$docker_mirror_registry_host\":{\"auth\":\"$docker_mirror_authent_token\"}," + fi + + docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}") + docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}") # Create the configuration file for Docker and Kaniko BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME} @@ -595,10 +600,16 @@ stages: echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json" fi - # Create the configuration file for Skopeo - mkdir -p "$BUILDTOOL_HOME/skopeo/.docker" - echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" - echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" + # Create the configuration files for Skopeo + if command -v skopeo > /dev/null + then + mkdir -p "$BUILDTOOL_HOME/skopeo/.docker" + # use same auth config as the build tool for the source image + cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" + # use a merged auth config for the destination image + echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" + merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" + fi log_info "Docker authentication configured for \\e[33;1m${docker_snapshot_registry_host}\\e[0m" } @@ -701,7 +712,7 @@ stages: .docker-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.12.0"] + command: ["--service", "docker", "6.0.0"] before_script: - !reference [.docker-scripts] @@ -737,7 +748,7 @@ stages: _TRACE: "${TRACE}" services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "docker", "5.12.0"] + command: ["--service", "docker", "6.0.0"] - name: $DOCKER_DIND_IMAGE alias: docker command: @@ -786,6 +797,7 @@ docker-hadolint: artifacts: name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" expire_in: 1 day + access: developer when: always reports: codequality: @@ -998,27 +1010,23 @@ docker-trivy: export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}} basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') mkdir -p ./reports - if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then - log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" - trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} - export trivy_opts="image" - else - log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" - export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}" - fi - # Add common trivy arguments - # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository - export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}" - # GitLab format (no fail) - trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE - # JSON format (no fail) - if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]] - then - trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE + if [[ -z "$TRIVY_SERVER" ]]; then + log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" fi - # console output (fail) - trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE + # Generate the native JSON report that can later be converted to other formats + trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$? + + # Generate a report in the GitLab format + trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json + + # console output + trivy convert --format table reports/docker-trivy-${basename}.native.json + + exit $exit_code artifacts: + name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + expire_in: 1 day + access: developer when: always paths: - "reports/docker-trivy-*"