feat(trivy): enable comprehensive priority

322eb1b8 · Bertrand Goareguer · Girija Saint-Ange · 0c32aa46 · 322eb1b8 · 322eb1b8
Commit 322eb1b8 authored 7 months ago by Bertrand Goareguer Committed by Girija Saint-Ange 7 months ago
--- a/README.md
+++ b/README.md
@@ -246,7 +246,7 @@ It is bound to the `test` stage, and uses the following variables:
 | ---------------- | ----------------------------------------------------------------------- | ----------------- |
 | `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job                                 | _none_ (enabled) |
 | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
-| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library`   |
+| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library --detection-priority comprehensive`   |

 In addition to a textual report in the console, this job produces the following reports, kept for one day:


--- a/kicker.json
+++ b/kicker.json
@@ -145,7 +145,7 @@
        {
          "name": "PYTHON_TRIVY_ARGS",
          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",
-          "default": "--pkg-types library",
+          "default": "--pkg-types library --detection-priority comprehensive",
          "advanced": true
        }
      ]

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -108,7 +108,7 @@ spec:
      default: ''
    trivy-args:
      description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)
-      default: --pkg-types library
+      default: --pkg-types library --detection-priority comprehensive
    sbom-disabled:
      description: Disable Software Bill of Materials
      type: boolean
@@ -622,7 +622,7 @@ variables:
    elif [[ -f "Pipfile" ]]
    then
      log_info "--- Build system auto-detected: Pipenv"
-      export "pipenv"
+      export PYTHON_BUILD_SYSTEM="pipenv"
    else
      log_error "--- Build system auto-detect failed: please read template doc"
      exit 1