From 671b78142c08cdd5bbf1441a81705b96dbf0740f Mon Sep 17 00:00:00 2001
From: Bertrand Goareguer <bertrand.goareguer@gmail.com>
Date: Sun, 20 Oct 2024 13:18:09 +0000
Subject: [PATCH] fix(Trivy): trivy scan fails when issues are found

---
 README.md                      | 2 +-
 kicker.json                    | 2 +-
 templates/gitlab-ci-python.yml | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9d5f44e..0c608d9 100644
--- a/README.md
+++ b/README.md
@@ -247,7 +247,7 @@ It is bound to the `test` stage, and uses the following variables:
 | ---------------- | ----------------------------------------------------------------------- | ----------------- |
 | `trivy-disabled` / `PYTHON_TRIVY_DISABLED` | Set to `true` to disable Trivy job                                 | _none_ (enabled) |
 | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
-| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--pkg-types library --detection-priority comprehensive`   |
+| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive`   |
 
 In addition to a textual report in the console, this job produces the following reports, kept for one day:
 
diff --git a/kicker.json b/kicker.json
index 687a3c8..c6110d1 100644
--- a/kicker.json
+++ b/kicker.json
@@ -145,7 +145,7 @@
         {
           "name": "PYTHON_TRIVY_ARGS",
           "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",
-          "default": "--pkg-types library --detection-priority comprehensive",
+          "default": "--ignore-unfixed --pkg-types library --detection-priority comprehensive",
           "advanced": true
         }
       ]
diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 64c025a..41665b4 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -109,7 +109,7 @@ spec:
       default: ''
     trivy-args:
       description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)
-      default: --pkg-types library --detection-priority comprehensive
+      default: --ignore-unfixed --pkg-types library --detection-priority comprehensive
     sbom-disabled:
       description: Disable Software Bill of Materials
       type: boolean
@@ -1303,7 +1303,7 @@ py-trivy:
       then
         $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 0 --list-all-pkgs --format json --output reports/py-trivy.trivy.json ./reports/
       fi
-      $python_trivy fs ${PYTHON_TRIVY_ARGS} --format table ./reports/
+      $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 1 --format table ./reports/
   artifacts:
     name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
     expire_in: 1 day
-- 
GitLab