Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # README.md

Merge remote-tracking branch 'upstream/master'
bbfc4eb5 · Benguria Elguezabal, Gorka · fa930147 · c159d13e · bbfc4eb5 · bbfc4eb5
Commit bbfc4eb5 authored 4 months ago by Benguria Elguezabal, Gorka
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [5.12.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.11.1...5.12.0) (2024-08-29)
+# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26)
+
+
+### Code Refactoring
+
+* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://gitlab.com/to-be-continuous/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
+
+
+### BREAKING CHANGES
+
+* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
+
+## [5.14.1](https://gitlab.com/to-be-continuous/docker/compare/5.14.0...5.14.1) (2024-11-02)
+
+
+### Bug Fixes
+
+* limit security reports access to developer role or higher ([29a3173](https://gitlab.com/to-be-continuous/docker/commit/29a3173e7393ad84df324a34cd8cdc17ab3cac14))
+
+# [5.14.0](https://gitlab.com/to-be-continuous/docker/compare/5.13.3...5.14.0) (2024-11-01)
+
+
+### Features
+
+* **mirror:** add support for DOCKER_REGISTRY_MIRROR_USER/PASSWORD vars ([76c9d16](https://gitlab.com/to-be-continuous/docker/commit/76c9d1699fb5a6c03b827c8b035314e4873d173b))
+
+## [5.13.3](https://gitlab.com/to-be-continuous/docker/compare/5.13.2...5.13.3) (2024-10-24)
+
+
+### Bug Fixes
+
+* set trivy artifact expiration ([5854b42](https://gitlab.com/to-be-continuous/docker/commit/5854b428f1007c7cde90ad836fba6b9cbcc2a251))
+
+## [5.13.2](https://gitlab.com/to-be-continuous/docker/compare/5.13.1...5.13.2) (2024-10-04)
+
+
+### Bug Fixes
+
+* **trivy:** use --pkg-types instead of deprecated --vuln-type option ([76d0f3f](https://gitlab.com/to-be-continuous/docker/commit/76d0f3f506278028eebb3a526322ae205f347761))
+
+## [5.13.1](https://gitlab.com/to-be-continuous/docker/compare/5.13.0...5.13.1) (2024-09-21)
+
+
+### Bug Fixes
+
+* allow Skopeo to inherit Docker auth config ([9bb198e](https://gitlab.com/to-be-continuous/docker/commit/9bb198ef051fc53decf5e7a79970c6a1f5204567))
+
+# [5.13.0](https://gitlab.com/to-be-continuous/docker/compare/5.12.1...5.13.0) (2024-09-15)
+
+
+### Features
+
+* **trivy:** enable comprehensive priority ([d26a665](https://gitlab.com/to-be-continuous/docker/commit/d26a6659d9c184455f4c6473154621a50af4b6e9))
+
+## [5.12.1](https://gitlab.com/to-be-continuous/docker/compare/5.12.0...5.12.1) (2024-09-12)
+
+
+### Bug Fixes
+
+* wrong default value for DOCKER_TRIVY_ARGS ([1b84a79](https://gitlab.com/to-be-continuous/docker/commit/1b84a792b86bcae5dec8e9a4c4d9f35deb55ee98))
+
+# [5.12.0](https://gitlab.com/to-be-continuous/docker/compare/5.11.1...5.12.0) (2024-08-26)


 ### Features

--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
    # 2: set/override component inputs
    inputs:
      build-tool: buildah # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/docker'
-    ref: '5.12.0'
+    ref: '6.0.0'
    file: '/templates/gitlab-ci-docker.yml'

 variables:
@@ -136,6 +136,16 @@ If you use **different registries** for snapshot and release images, you shall u
 | :lock: `DOCKER_REGISTRY_RELEASE_USER`      | Docker registry username for release image registry  |
 | :lock: `DOCKER_REGISTRY_RELEASE_PASSWORD`  | Docker registry password for release image registry  |

+#### Using a registry mirror during image builds
+
+You can provide a URL for a mirror registry of `https://index.docker.io` for use during image builds (:warning: `kaniko` and `dind` options only), and optionally with credentials for the mirror, using the following variables:
+
+| Input / Variable                             | Description                                      |
+| -------------------------------------------- | ------------------------------------------------ |
+| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use           |
+| :lock: `DOCKER_REGISTRY_MIRROR_USER`         | Docker registry username for the mirror registry |
+| :lock: `DOCKER_REGISTRY_MIRROR_PASSWORD`     | Docker registry password for the mirror registry |
+
 #### Setting your own Docker configuration file (advanced)

 There might be cases where you need to provide the complete [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files):
@@ -163,6 +173,8 @@ In addition to you own defined variables, you may use the following variables (p
 - `${docker_snapshot_registry_host}`: the snapshot registry host (based on the configured `DOCKER_SNAPSHOT_IMAGE` variable)
 - `${docker_release_authent_token}`: the authentication token required by the release registry (computed from configured `DOCKER_REGISTRY_RELEASE_USER` / `DOCKER_REGISTRY_RELEASE_PASSWORD` variables)
 - `${docker_release_registry_host}`: the release registry host (based on the configured `DOCKER_RELEASE_IMAGE` variable)
+- `${docker_mirror_authent_token}`: the authentication token required by the mirror registry (computed from configured `DOCKER_REGISTRY_MIRROR_USER` / `DOCKER_REGISTRY_MIRROR_PASSWORD` variables)
+- `${docker_mirror_registry_host}`: the mirror registry host (based on the configured `DOCKER_REGISTRY_MIRROR` variable)

 Example 1: Docker configuration file inlined in the project repository (`.docker/config.json`) with **dynamic variables replacement**:

@@ -170,10 +182,10 @@ Example 1: Docker configuration file inlined in the project repository (`.docker
 {
  "auths": {
    "${docker_snapshot_registry_host}": {
-      "auth": "${docker_release_authent_token}"
+      "auth": "${docker_snapshot_authent_token}"
    },
    "${docker_release_registry_host}": {
-      "auth": "${docker_snapshot_authent_token}"
+      "auth": "${docker_release_authent_token}"
    },
    "my-readonly-repo-to-pull": {
      "auth": "${MY_OWN_REGISTRY_TOKEN}"
@@ -285,11 +297,11 @@ FROM ubuntu
 RUN cd /tmp && echo "hello!"
 ```

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report                                       | Format                               | Usage                                                                                                                                                                          |
 | -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `reports/docker-hadolint-*.native.json`      | native hadolint test report (json)   | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-hadolint-*.native.json`      | native hadolint test report (json)   | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/hadolint/)<br/>_This report is generated only if DefectDojo template is detected_ |
 | `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality)                                                                    |

 ### `docker-*-build` jobs
@@ -310,7 +322,7 @@ It is bound to the `package-build` stage, and uses the following variables:
 | `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
 | `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):

 | Input / Variable      | Description                                            | Example                                                        |
 | --------------------- | ------------------------------------------------------ | -------------------------------------------------------------- |
@@ -401,15 +413,15 @@ In case your image takes quite some time to be downloaded by the runner, increas

 ### `docker-trivy` job

-This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
+This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image.

-Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.
+Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode.

-If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.
+If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable.

 ```yaml
 variables:
-  DOCKER_TRIVY_ADDR: "https://trivy.acme.host"
+  TRIVY_SERVER: "https://trivy.acme.host"
 ```

 It is bound to the `package-test` stage, and uses the following variables:
@@ -425,12 +437,20 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
 | `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
+Examples:
+
+* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
+* `TRIVY_SERVER`: server address (enables client/server mode)
+* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
+* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
+
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report                               | Format                                                                                                             | Usage                                                                                                                                                                       |
 | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `reports/docker-trivy-*.native.json` | native Trivy report format (json)                                                                                  | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning)                                                          |
+| `reports/docker-trivy-*.native.json` | native Trivy report format (json)                                                                                  | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning)                                                          |

 ### `docker-sbom` job

@@ -459,7 +479,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
 | `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
 | `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

-This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):

 | Input / Variable      | Description                                           | Example                                               |
 | --------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
@@ -551,7 +571,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:

 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
    inputs:
      snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
      release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
@@ -566,7 +586,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u

 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0

 .docker-base:
  parallel:
@@ -594,10 +614,12 @@ In order to be able to communicate with the Vault server, the variant requires t
 | Input / Variable                    | Description                                                                                                                     | Default value                                                              |
 | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
 | `TBC_VAULT_IMAGE`                   | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url                                                                                                   | _none_                                                                     |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url                                                                                                   | **must be defined**                                                        |
 | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT                                                                                                     | `$CI_SERVER_URL`                                                           |
-| :lock: `VAULT_ROLE_ID`              | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID                                                             | **must be defined**                                                        |
-| :lock: `VAULT_SECRET_ID`            | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID                                                           | **must be defined**                                                        |
+| :lock: `VAULT_ROLE_ID`              | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID                                                             | _none_                                                                     |
+| :lock: `VAULT_SECRET_ID`            | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID                                                           | _none_                                                                     |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

 #### Usage

@@ -619,14 +641,13 @@ With:
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
  # Vault variant
  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@5.7.0
    inputs:
      # audience claim for JWT
      vault-oidc-aud: "https://vault.acme.host"
      vault-base-url: "https://vault.acme.host/v1"
-      # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

 variables:
  # Secrets managed by Vault
@@ -668,7 +689,7 @@ to use the snapshot image repository (will host your snapshot image as well as c

 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
    inputs:
      build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
      # untested & unverified container image
@@ -741,7 +762,7 @@ then set the required configuration.

 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@5.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.0.0
    inputs:
      # untested & unverified container image
      snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"

--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants

--- a/kicker.json
+++ b/kicker.json
@@ -216,7 +216,7 @@
    {
      "id": "trivy",
      "name": "Trivy",
-      "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+      "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
      "disable_with": "DOCKER_TRIVY_DISABLED",
      "variables": [
        {
@@ -225,32 +225,10 @@
          "default": "registry.hub.docker.com/aquasec/trivy:latest",
          "advanced": true
        },
-        {
-          "name": "DOCKER_TRIVY_ADDR",
-          "type": "url",
-          "description": "The Trivy server address"
-        },
-        {
-          "name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
-          "type": "enum",
-          "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
-          "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
-          "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-        },
        {
          "name": "DOCKER_TRIVY_ARGS",
-          "description": "Additional `trivy client` arguments",
-          "default": "--ignore-unfixed --vuln-type os --exit-on-eol 1",
-          "advanced": true
-        },
-        {
-          "name": "DOCKER_TRIVY_DB_REPOSITORY",
-          "description": "OCI repository to retrieve Trivy Database from",
-          "advanced": true
-        },
-        {
-          "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
-          "description": "OCI repository to retrieve Trivy Java Database from",
+          "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
+          "default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
          "advanced": true
        },
        {

--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -45,7 +45,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.12.0"]
+      command: ["--service", "docker", "6.0.0"]
    - name: "$TBC_AWS_PROVIDER_IMAGE"
      alias: "aws-auth-provider"
  id_tokens:

--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -44,7 +44,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.12.0"]
+      command: ["--service", "docker", "6.0.0"]
    - name: "$TBC_GCP_PROVIDER_IMAGE"
      alias: "gcp-auth-provider"
  variables:

--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.12.0"]
+      command: ["--service", "docker", "6.0.0"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -158,27 +158,9 @@ spec:
    trivy-image:
      description: The docker image used to scan images with Trivy
      default: registry.hub.docker.com/aquasec/trivy:latest
-    trivy-addr:
-      description: The Trivy server address
-      default: ''
-    trivy-security-level-threshold:
-      description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
-      options:
-      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-      - LOW,MEDIUM,HIGH,CRITICAL
-      - MEDIUM,HIGH,CRITICAL
-      - HIGH,CRITICAL
-      - CRITICAL
-      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    trivy-args:
-      description: Additional `trivy client` arguments
-      default: --ignore-unfixed --vuln-type os --exit-on-eol 1
-    trivy-db-repository:
-      description: Custom OCI repository to retrieve Trivy Database from
-      default: ''
-    trivy-java-db-repository:
-      description: Custom Java DB repository path 
-      default: ''
+      description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
+      default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
    sbom-disabled:
      description: Disable Software Bill of Materials
      type: boolean
@@ -287,11 +269,9 @@ variables:
  DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
  DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]

-  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
  DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
  DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
-  DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
-  DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
+  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]

  # SBOM genenration image and arguments
  DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -327,8 +307,6 @@ variables:
  DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
  DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
  DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
-  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
-  DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
  DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]

 # ==================================================
@@ -551,6 +529,22 @@ stages:
    done
  }

+  # simple JSON merge (used in Skopeo job only)
+  function merge_json() {
+    python3 -c "import json,sys
+  def merge(a,b):
+    for key in b:
+      if key in a and isinstance(a[key],dict) and isinstance(b[key],dict): a[key]=merge(a[key],b[key])
+      else: a[key]=b[key]
+    return a
+  def mergef(*files):
+    res={}
+    for f in files:
+      with open(f,'r') as rd: res=merge(res,json.load(rd))
+    return res
+  print(json.dumps(mergef(*sys.argv[1:])))" "$@"
+  }
+
  function wait_for_docker_daemon() {
    log_info "Wait for Docker daemon..."
    # shellcheck disable=SC2034
@@ -582,8 +576,19 @@ stages:
    export docker_release_authent_token
    export docker_release_registry_host

-    docker_snapshot_config_json=$(echo -n "{\"auths\":{\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
-    docker_release_config_json=$(echo -n "{\"auths\":{\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
+    if [[ -n "$DOCKER_REGISTRY_MIRROR" && -n "$DOCKER_REGISTRY_MIRROR_USER" ]]
+    then
+      docker_mirror_authent_token=$(echo -n "$DOCKER_REGISTRY_MIRROR_USER:$DOCKER_REGISTRY_MIRROR_PASSWORD" | base64 | tr -d '\n')
+      # shellcheck disable=SC2001
+      docker_mirror_registry_host=$(echo "$DOCKER_REGISTRY_MIRROR" | sed "s|^https*://||" | cut -d/ -f1)
+      export docker_mirror_authent_token
+      export docker_mirror_registry_host
+
+      docker_mirror_config_json="\"$docker_mirror_registry_host\":{\"auth\":\"$docker_mirror_authent_token\"},"
+    fi
+
+    docker_snapshot_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_snapshot_registry_host\":{\"auth\":\"$docker_snapshot_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")
+    docker_release_config_json=$(echo -n "{\"auths\":{$docker_mirror_config_json\"$docker_release_registry_host\":{\"auth\":\"$docker_release_authent_token\"}},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}")

    # Create the configuration file for Docker and Kaniko
    BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
@@ -595,10 +600,16 @@ stages:
      echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
    fi

-    # Create the configuration file for Skopeo
+    # Create the configuration files for Skopeo
+    if command -v skopeo > /dev/null
+    then
      mkdir -p "$BUILDTOOL_HOME/skopeo/.docker"
-    echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
-    echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+      # use same auth config as the build tool for the source image
+      cp -f "$BUILDTOOL_HOME/.docker/config.json" "$BUILDTOOL_HOME/skopeo/.docker/src-config.json"
+      # use a merged auth config for the destination image
+      echo "${docker_release_config_json}" > "$BUILDTOOL_HOME/skopeo/.docker/release-only.json"
+      merge_json "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" "$BUILDTOOL_HOME/skopeo/.docker/release-only.json" > "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json"
+    fi

    log_info "Docker authentication configured for \\e[33;1m${docker_snapshot_registry_host}\\e[0m"
  }
@@ -701,7 +712,7 @@ stages:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.12.0"]
+      command: ["--service", "docker", "6.0.0"]
  before_script:
    - !reference [.docker-scripts]

@@ -737,7 +748,7 @@ stages:
    _TRACE: "${TRACE}"
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.12.0"]
+      command: ["--service", "docker", "6.0.0"]
    - name: $DOCKER_DIND_IMAGE
      alias: docker
      command:
@@ -786,6 +797,7 @@ docker-hadolint:
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
+    access: developer
    when: always
    reports:
      codequality:
@@ -998,27 +1010,23 @@ docker-trivy:
    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
    basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
    mkdir -p ./reports
-    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
-      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
-      trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}
-      export trivy_opts="image"
-    else
-      log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
-      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
-    fi
-    # Add common trivy arguments
-    # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
-    export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
-    # GitLab format (no fail)
-    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
-    # JSON format (no fail)
-    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
-    then
-      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
+    if [[ -z "$TRIVY_SERVER" ]]; then
+      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
    fi
-    # console output (fail)
-    trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
+    # Generate the native JSON report that can later be converted to other formats
+    trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
+
+    # Generate a report in the GitLab format
+    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
+
+    # console output
+    trivy convert --format table reports/docker-trivy-${basename}.native.json
+    
+    exit $exit_code
  artifacts:
+    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 day
+    access: developer
    when: always
    paths:
    - "reports/docker-trivy-*"