Skip to content
Snippets Groups Projects
Commit 322eb1b8 authored by Bertrand Goareguer's avatar Bertrand Goareguer Committed by Girija Saint-Ange
Browse files

feat(trivy): enable comprehensive priority

parent 0c32aa46
No related branches found
No related tags found
No related merge requests found
......@@ -246,7 +246,7 @@ It is bound to the `test` stage, and uses the following variables:
| ---------------- | ----------------------------------------------------------------------- | ----------------- |
| `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job | _none_ (enabled) |
| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library` |
| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library --detection-priority comprehensive` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
......@@ -299,7 +299,7 @@ This job **disabled by default** and runs [Ruff](https://docs.astral.sh/ruff/) o
| `ruff-args` / `RUFF_ARGS` | Additional [Ruff Linter CLI options](https://docs.astral.sh/ruff/configuration/#full-command-line-interface) | _none_ |
| `ruff-ext-exclude` / `RUFF_EXT_EXCLUDE` | Define [extend-exclude](https://docs.astral.sh/ruff/settings/#extend-exclude) files | _.venv,.cache_ |
:warning: Ruff can replace isort, Black, Bandit, Pylint and much more. [More info](https://github.com/astral-sh/ruff/blob/main/docs/faq.md#which-tools-does-ruff-replace).
:warning: Ruff can replace isort, Black, Bandit, Pylint and much more. [More info](https://github.com/astral-sh/ruff/blob/main/docs/faq.md#which-tools-does-ruff-replace).
In addition to logs in the console, this job produces the following reports, kept for one week:
......@@ -537,7 +537,7 @@ variables:
### Google Cloud variant
This variant allows to use Python Google Clients. The variant follow the recommendation [Authenticate for using client libraries](https://cloud.google.com/docs/authentication/client-libraries) with [ADC](https://cloud.google.com/docs/authentication/application-default-credentials)
This variant allows to use Python Google Clients. The variant follow the recommendation [Authenticate for using client libraries](https://cloud.google.com/docs/authentication/client-libraries) with [ADC](https://cloud.google.com/docs/authentication/application-default-credentials)
[Detailed article on internal OIDC impersonated with Workload Identify Federation](https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated)
......
......@@ -145,7 +145,7 @@
{
"name": "PYTHON_TRIVY_ARGS",
"description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",
"default": "--pkg-types library",
"default": "--pkg-types library --detection-priority comprehensive",
"advanced": true
}
]
......@@ -350,4 +350,4 @@
]
}
]
}
\ No newline at end of file
}
......@@ -108,7 +108,7 @@ spec:
default: ''
trivy-args:
description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)
default: --pkg-types library
default: --pkg-types library --detection-priority comprehensive
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
......@@ -521,9 +521,9 @@ variables:
decoded=$(mktemp)
errors=$(mktemp)
# shellcheck disable=SC2086
if python3 -c "import urllib.request ; urllib.request.urlretrieve(\"$url\",\"${decoded}\")" > "${errors}" 2>&1
if python3 -c "import urllib.request ; urllib.request.urlretrieve(\"$url\",\"${decoded}\")" > "${errors}" 2>&1
then
export ${name}="$(cat ${decoded})"
export ${name}="$(cat ${decoded})"
log_info "Successfully fetched secret \\e[33;1m${name}\\e[0m"
else
log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"
......@@ -622,7 +622,7 @@ variables:
elif [[ -f "Pipfile" ]]
then
log_info "--- Build system auto-detected: Pipenv"
export "pipenv"
export PYTHON_BUILD_SYSTEM="pipenv"
else
log_error "--- Build system auto-detect failed: please read template doc"
exit 1
......@@ -815,7 +815,7 @@ variables:
if [[ "$PYTHON_BUILD_SYSTEM" =~ ^poetry ]]
then
maybe_install_poetry
if [[ "$PYTHON_PACKAGE_ENABLED" != "true" ]]
then
log_info "--- build packages (poetry)..."
......@@ -828,7 +828,7 @@ variables:
else
# shellcheck disable=SC2086
pip install ${PIP_OPTS} build twine
if [[ "$PYTHON_PACKAGE_ENABLED" != "true" ]]
then
log_info "--- build packages (build)..."
......@@ -981,7 +981,7 @@ py-ruff:
stage: build
script:
- mkdir -p -m 777 reports
- |
- |
if [[ ${BANDIT_ENABLED} == "true" || ${PYLINT_ENABLED} == "true" || ${PYTHON_ISORT_ENABLED} == "true" || ${PYTHON_BLACK_ENABLED} == "true" ]]; then
log_warn "Ruff can replace isort, Black, Bandit, Pylint"
fi
......@@ -994,7 +994,7 @@ py-ruff:
ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --exit-zero --output-format json --output-file reports/py-ruff.native.json
fi
# then GitLab and grouped/console formats
- ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format gitlab --output-file reports/py-ruff.gitlab.json || ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format grouped
- ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format gitlab --output-file reports/py-ruff.gitlab.json || ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format grouped
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
......@@ -1187,7 +1187,7 @@ py-trivy:
tar zxf trivy.tar.gz trivy
mkdir -p $XDG_CACHE_HOME
mv ./trivy $python_trivy
fi
fi
- |
case "$PYTHON_BUILD_SYSTEM" in
poetry*|pipenv*)
......@@ -1274,7 +1274,7 @@ py-sbom:
paths:
- "$PYTHON_PROJECT_DIR/reports/py-sbom.cyclonedx.json"
reports:
cyclonedx:
cyclonedx:
- "$PYTHON_PROJECT_DIR/reports/py-sbom.cyclonedx.json"
rules:
# exclude if disabled
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment