Skip to content
Snippets Groups Projects
Commit e62f19e9 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

refactor(jib/trivy): enforce usage of Trivy environment variables

- $MAVEN_TRIVY_ADDR removed in favor of $TRIVY_SERVER
- $MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD removed in favor of $TRIVY_SEVERITY

BREAKING CHANGE: 2 Trivy configuration params removed in favor of the native Trivy environment variables
parent 5fa7fec1
No related branches found
No related tags found
No related merge requests found
......@@ -482,10 +482,16 @@ The template uses GitLab registries and authentication defaults. See the Docker
| -------------------------------------- | ------------------------ | ------------------------------------------------- |
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
* `TRIVY_SERVER`: server address (enables client/server mode)
* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
##### Jib build and publish configuration
......
......@@ -217,7 +217,7 @@
{
"id": "mvn-trivy",
"name": "Maven Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
"description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "MAVEN_TRIVY_DISABLED",
"variables": [
{
......@@ -226,27 +226,9 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
{
"name": "MAVEN_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address"
},
{
"name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": [
"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"LOW,MEDIUM,HIGH,CRITICAL",
"MEDIUM,HIGH,CRITICAL",
"HIGH,CRITICAL",
"CRITICAL"
],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
},
{
"name": "MAVEN_TRIVY_ARGS",
"description": "Additional `trivy client` arguments",
"description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --vuln-type os",
"advanced": true
}
......
......@@ -32,21 +32,8 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
trivy-addr:
description: The Trivy server address
default: ''
trivy-security-level-threshold:
description: 'Severities of vulnerabilities to be displayed (comma separated values:
`UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
options:
- UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- LOW,MEDIUM,HIGH,CRITICAL
- MEDIUM,HIGH,CRITICAL
- HIGH,CRITICAL
- CRITICAL
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
description: Additional `trivy client` arguments
description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --vuln-type os
sbom-image:
default: registry.hub.docker.com/anchore/syft:debug
......@@ -57,8 +44,8 @@ spec:
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
......@@ -66,8 +53,6 @@ variables:
MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
.mvn-jib-scripts: &mvn-jib-scripts |
# BEGSCRIPT
......@@ -164,25 +149,19 @@ mvn-trivy:
export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
if [[ -z "$TRIVY_SERVER" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
# Add common trivy arguments
export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"
# GitLab format (no fail)
trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE
# JSON format (no fail)
if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
then
trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE
fi
# console output (fail)
trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
# Generate the native JSON report that can later be converted to other formats
trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?
# Generate a report in the GitLab format
trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json
# console output
trivy convert --format table reports/jib-trivy-${basename}.native.json
exit $exit_code
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment