Skip to content
Snippets Groups Projects
Commit e62f19e9 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

refactor(jib/trivy): enforce usage of Trivy environment variables 

- $MAVEN_TRIVY_ADDR removed in favor of $TRIVY_SERVER
- $MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD removed in favor of $TRIVY_SEVERITY

BREAKING CHANGE: 2 Trivy configuration params removed in favor of the native Trivy environment variables
parent 5fa7fec1
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
README.md
+ 8
2
View file @ e62f19e9
......@@ -482,10 +482,16 @@ The template uses GitLab registries and authentication defaults. See the Docker
| -------------------------------------- | ------------------------ | ------------------------------------------------- |
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
* `TRIVY_SERVER`: server address (enables client/server mode)
* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
##### Jib build and publish configuration
......
kicker.json
+ 2
20
View file @ e62f19e9
......@@ -217,7 +217,7 @@
{
"id": "mvn-trivy",
"name": "Maven Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
"description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "MAVEN_TRIVY_DISABLED",
"variables": [
{
......@@ -226,27 +226,9 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
{
"name": "MAVEN_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address"
},
{
"name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": [
"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"LOW,MEDIUM,HIGH,CRITICAL",
"MEDIUM,HIGH,CRITICAL",
"HIGH,CRITICAL",
"CRITICAL"
],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
},
{
"name": "MAVEN_TRIVY_ARGS",
"description": "Additional `trivy client` arguments",
"description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --vuln-type os",
"advanced": true
}
......
templates/gitlab-ci-maven-jib.yml
+ 14
35
View file @ e62f19e9
......@@ -32,21 +32,8 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
trivy-addr:
description: The Trivy server address
default: ''
trivy-security-level-threshold:
description: 'Severities of vulnerabilities to be displayed (comma separated values:
`UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
options:
- UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- LOW,MEDIUM,HIGH,CRITICAL
- MEDIUM,HIGH,CRITICAL
- HIGH,CRITICAL
- CRITICAL
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
description: Additional `trivy client` arguments
description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --vuln-type os
sbom-image:
default: registry.hub.docker.com/anchore/syft:debug
......@@ -57,8 +44,8 @@ spec:
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
......@@ -66,8 +53,6 @@ variables:
MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
.mvn-jib-scripts: &mvn-jib-scripts |
# BEGSCRIPT
......@@ -164,25 +149,19 @@ mvn-trivy:
export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
if [[ -z "$TRIVY_SERVER" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
# Add common trivy arguments
export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"
# GitLab format (no fail)
trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE
# JSON format (no fail)
if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
then
trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE
fi
# console output (fail)
trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
# Generate the native JSON report that can later be converted to other formats
trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?
# Generate a report in the GitLab format
trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json
# console output
trivy convert --format table reports/jib-trivy-${basename}.native.json
exit $exit_code
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment