From 322eb1b88c49d9a1662ad6b6199541f1a82860ef Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer <bertrand.goareguer@gmail.com> Date: Fri, 4 Oct 2024 14:15:38 +0000 Subject: [PATCH] feat(trivy): enable comprehensive priority --- README.md | 6 +++--- kicker.json | 4 ++-- templates/gitlab-ci-python.yml | 20 ++++++++++---------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 5d7a06e..41e71fa 100644 --- a/README.md +++ b/README.md @@ -246,7 +246,7 @@ It is bound to the `test` stage, and uses the following variables: | ---------------- | ----------------------------------------------------------------------- | ----------------- | | `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job | _none_ (enabled) | | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ | -| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library` | +| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--pkg-types library --detection-priority comprehensive` | In addition to a textual report in the console, this job produces the following reports, kept for one day: @@ -299,7 +299,7 @@ This job **disabled by default** and runs [Ruff](https://docs.astral.sh/ruff/) o | `ruff-args` / `RUFF_ARGS` | Additional [Ruff Linter CLI options](https://docs.astral.sh/ruff/configuration/#full-command-line-interface) | _none_ | | `ruff-ext-exclude` / `RUFF_EXT_EXCLUDE` | Define [extend-exclude](https://docs.astral.sh/ruff/settings/#extend-exclude) files | _.venv,.cache_ | -:warning: Ruff can replace isort, Black, Bandit, Pylint and much more. [More info](https://github.com/astral-sh/ruff/blob/main/docs/faq.md#which-tools-does-ruff-replace). +:warning: Ruff can replace isort, Black, Bandit, Pylint and much more. [More info](https://github.com/astral-sh/ruff/blob/main/docs/faq.md#which-tools-does-ruff-replace). In addition to logs in the console, this job produces the following reports, kept for one week: @@ -537,7 +537,7 @@ variables: ### Google Cloud variant -This variant allows to use Python Google Clients. The variant follow the recommendation [Authenticate for using client libraries](https://cloud.google.com/docs/authentication/client-libraries) with [ADC](https://cloud.google.com/docs/authentication/application-default-credentials) +This variant allows to use Python Google Clients. The variant follow the recommendation [Authenticate for using client libraries](https://cloud.google.com/docs/authentication/client-libraries) with [ADC](https://cloud.google.com/docs/authentication/application-default-credentials) [Detailed article on internal OIDC impersonated with Workload Identify Federation](https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated) diff --git a/kicker.json b/kicker.json index cec169c..bd36a3a 100644 --- a/kicker.json +++ b/kicker.json @@ -145,7 +145,7 @@ { "name": "PYTHON_TRIVY_ARGS", "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)", - "default": "--pkg-types library", + "default": "--pkg-types library --detection-priority comprehensive", "advanced": true } ] @@ -350,4 +350,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml index dfa8684..63cc8cc 100644 --- a/templates/gitlab-ci-python.yml +++ b/templates/gitlab-ci-python.yml @@ -108,7 +108,7 @@ spec: default: '' trivy-args: description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) - default: --pkg-types library + default: --pkg-types library --detection-priority comprehensive sbom-disabled: description: Disable Software Bill of Materials type: boolean @@ -521,9 +521,9 @@ variables: decoded=$(mktemp) errors=$(mktemp) # shellcheck disable=SC2086 - if python3 -c "import urllib.request ; urllib.request.urlretrieve(\"$url\",\"${decoded}\")" > "${errors}" 2>&1 + if python3 -c "import urllib.request ; urllib.request.urlretrieve(\"$url\",\"${decoded}\")" > "${errors}" 2>&1 then - export ${name}="$(cat ${decoded})" + export ${name}="$(cat ${decoded})" log_info "Successfully fetched secret \\e[33;1m${name}\\e[0m" else log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" @@ -622,7 +622,7 @@ variables: elif [[ -f "Pipfile" ]] then log_info "--- Build system auto-detected: Pipenv" - export "pipenv" + export PYTHON_BUILD_SYSTEM="pipenv" else log_error "--- Build system auto-detect failed: please read template doc" exit 1 @@ -815,7 +815,7 @@ variables: if [[ "$PYTHON_BUILD_SYSTEM" =~ ^poetry ]] then maybe_install_poetry - + if [[ "$PYTHON_PACKAGE_ENABLED" != "true" ]] then log_info "--- build packages (poetry)..." @@ -828,7 +828,7 @@ variables: else # shellcheck disable=SC2086 pip install ${PIP_OPTS} build twine - + if [[ "$PYTHON_PACKAGE_ENABLED" != "true" ]] then log_info "--- build packages (build)..." @@ -981,7 +981,7 @@ py-ruff: stage: build script: - mkdir -p -m 777 reports - - | + - | if [[ ${BANDIT_ENABLED} == "true" || ${PYLINT_ENABLED} == "true" || ${PYTHON_ISORT_ENABLED} == "true" || ${PYTHON_BLACK_ENABLED} == "true" ]]; then log_warn "Ruff can replace isort, Black, Bandit, Pylint" fi @@ -994,7 +994,7 @@ py-ruff: ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --exit-zero --output-format json --output-file reports/py-ruff.native.json fi # then GitLab and grouped/console formats - - ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format gitlab --output-file reports/py-ruff.gitlab.json || ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format grouped + - ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format gitlab --output-file reports/py-ruff.gitlab.json || ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format grouped artifacts: name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" expire_in: 1 day @@ -1187,7 +1187,7 @@ py-trivy: tar zxf trivy.tar.gz trivy mkdir -p $XDG_CACHE_HOME mv ./trivy $python_trivy - fi + fi - | case "$PYTHON_BUILD_SYSTEM" in poetry*|pipenv*) @@ -1274,7 +1274,7 @@ py-sbom: paths: - "$PYTHON_PROJECT_DIR/reports/py-sbom.cyclonedx.json" reports: - cyclonedx: + cyclonedx: - "$PYTHON_PROJECT_DIR/reports/py-sbom.cyclonedx.json" rules: # exclude if disabled -- GitLab