From f9a160201fe11a1ac7d125b5fa9aa181c4599fd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Bazin?= <clem69.b@gmail.com>
Date: Tue, 19 Oct 2021 08:36:49 +0000
Subject: [PATCH] fix(trivy): ignore unfixed security issues by default

---
 README.md                      | 1 +
 kicker.json                    | 6 ++++++
 templates/gitlab-ci-docker.yml | 7 ++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5e92dfc..3502676 100644
--- a/README.md
+++ b/README.md
@@ -272,6 +272,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `DOCKER_TRIVY_ADDR`    | The Trivy server address               | _(none: disabled by default)_  |
 | `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD`| Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
 | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |
+| `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/dev/getting-started/cli/client/)  | `--ignore-unfixed` |
 
 ### `docker-publish` job
 
diff --git a/kicker.json b/kicker.json
index d2a1759..544b86d 100644
--- a/kicker.json
+++ b/kicker.json
@@ -155,6 +155,12 @@
           "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
           "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
           "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+        },
+        {
+          "name": "DOCKER_TRIVY_ARGS",
+          "description": "Additional `trivy client` arguments",
+          "default": "--ignore-unfixed",
+          "advanced": true
         }
       ]
     }
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index e42638b..52fe8b5 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -36,6 +36,7 @@ variables:
 
   DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest"
+  DOCKER_TRIVY_ARGS: "--ignore-unfixed"
 
   # by default: DevOps pipeline
   PUBLISH_ON_PROD: "true"
@@ -613,9 +614,9 @@ docker-trivy:
     export FILENAME=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
     mkdir -p ./trivy
     # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0 $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0  $DOCKER_SNAPSHOT_IMAGE
-    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format template --template @/contrib/junit.tpl --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.xml --vuln-type os --exit-code 0  ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format json --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --output ./trivy/${FILENAME}.json --vuln-type os --exit-code 0 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
+    trivy client --remote ${DOCKER_TRIVY_ADDR} --format table --severity "${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD}" --vuln-type os --exit-code 1 ${DOCKER_TRIVY_ARGS} $DOCKER_SNAPSHOT_IMAGE
   artifacts:
     when: always
     paths:
-- 
GitLab