diff --git a/README.md b/README.md index 9d5f44e6bc712d2373bab2aec1c2060e893c3bdd..0c608d9475fde7d69a440db01196023724eb4717 100644 --- a/README.md +++ b/README.md @@ -247,7 +247,7 @@ It is bound to the `test` stage, and uses the following variables: | ---------------- | ----------------------------------------------------------------------- | ----------------- | | `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job | _none_ (enabled) | | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ | -| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--pkg-types library --detection-priority comprehensive` | +| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive` | In addition to a textual report in the console, this job produces the following reports, kept for one day: diff --git a/kicker.json b/kicker.json index 687a3c8764df49a3d38f19318fd66f9c21a21e71..c6110d180d606b4b5b28a4c5a0a9bfb35889fbb9 100644 --- a/kicker.json +++ b/kicker.json @@ -145,7 +145,7 @@ { "name": "PYTHON_TRIVY_ARGS", "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)", - "default": "--pkg-types library --detection-priority comprehensive", + "default": "--ignore-unfixed --pkg-types library --detection-priority comprehensive", "advanced": true } ] diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml index 64c025a6aea62ff55555a02abf39ca5bcbc8639f..41665b429ec136edf0cd3112363607782b3925f4 100644 --- a/templates/gitlab-ci-python.yml +++ b/templates/gitlab-ci-python.yml @@ -109,7 +109,7 @@ spec: default: '' trivy-args: description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) - default: --pkg-types library --detection-priority comprehensive + default: --ignore-unfixed --pkg-types library --detection-priority comprehensive sbom-disabled: description: Disable Software Bill of Materials type: boolean @@ -1303,7 +1303,7 @@ py-trivy: then $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 0 --list-all-pkgs --format json --output reports/py-trivy.trivy.json ./reports/ fi - $python_trivy fs ${PYTHON_TRIVY_ARGS} --format table ./reports/ + $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 1 --format table ./reports/ artifacts: name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" expire_in: 1 day