diff --git a/README.md b/README.md
index afbe028d6ee042b6366a5d2c316724bcbbfcdf5b..c8704d5961d5dda803c8355720ba7c50f3c55b2f 100644
--- a/README.md
+++ b/README.md
@@ -482,10 +482,16 @@ The template uses GitLab registries and authentication defaults. See the Docker
| -------------------------------------- | ------------------------ | ------------------------------------------------- |
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
-| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
-| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
+| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |
+Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
+Examples:
+
+* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
+* `TRIVY_SERVER`: server address (enables client/server mode)
+* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
+* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
##### Jib build and publish configuration
diff --git a/kicker.json b/kicker.json
index 6da98c7844d658a5c77825c75d3ea1a93cc70dc0..57d6a484077b531036eaae96cb672e4a722fafb7 100644
--- a/kicker.json
+++ b/kicker.json
@@ -217,7 +217,7 @@
{
"id": "mvn-trivy",
"name": "Maven Trivy",
- "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+ "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "MAVEN_TRIVY_DISABLED",
"variables": [
{
@@ -226,27 +226,9 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
- {
- "name": "MAVEN_TRIVY_ADDR",
- "type": "url",
- "description": "The Trivy server address"
- },
- {
- "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
- "type": "enum",
- "values": [
- "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
- "LOW,MEDIUM,HIGH,CRITICAL",
- "MEDIUM,HIGH,CRITICAL",
- "HIGH,CRITICAL",
- "CRITICAL"
- ],
- "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
- "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- },
{
"name": "MAVEN_TRIVY_ARGS",
- "description": "Additional `trivy client` arguments",
+ "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --vuln-type os",
"advanced": true
}
diff --git a/templates/gitlab-ci-maven-jib.yml b/templates/gitlab-ci-maven-jib.yml
index 33f19fac37a1e4df9133611f7901bf34e68f236b..65f3e0bf4ec913d32562320f9d6e76da58822492 100644
--- a/templates/gitlab-ci-maven-jib.yml
+++ b/templates/gitlab-ci-maven-jib.yml
@@ -32,21 +32,8 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
- trivy-addr:
- description: The Trivy server address
- default: ''
- trivy-security-level-threshold:
- description: 'Severities of vulnerabilities to be displayed (comma separated values:
- `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
- options:
- - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- - LOW,MEDIUM,HIGH,CRITICAL
- - MEDIUM,HIGH,CRITICAL
- - HIGH,CRITICAL
- - CRITICAL
- default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
- description: Additional `trivy client` arguments
+ description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --vuln-type os
sbom-image:
default: registry.hub.docker.com/anchore/syft:debug
@@ -57,8 +44,8 @@ spec:
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
- MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+ MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
@@ -66,8 +53,6 @@ variables:
MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
- MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
- MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
.mvn-jib-scripts: &mvn-jib-scripts |
# BEGSCRIPT
@@ -164,25 +149,19 @@ mvn-trivy:
export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
- if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then
- log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
- trivy image --download-db-only
- export trivy_opts="image"
- else
- log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
- export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
+ if [[ -z "$TRIVY_SERVER" ]]; then
+ log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
- # Add common trivy arguments
- export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"
- # GitLab format (no fail)
- trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE
- # JSON format (no fail)
- if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
- then
- trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE
- fi
- # console output (fail)
- trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
+ # Generate the native JSON report that can later be converted to other formats
+ trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?
+
+ # Generate a report in the GitLab format
+ trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json
+
+ # console output
+ trivy convert --format table reports/jib-trivy-${basename}.native.json
+
+ exit $exit_code
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day