feat: add Trivy dependency scanner

f0faed09 · Bertrand Goareguer · Pierre Smeyers · 7eb53d2f · f0faed09 · f0faed09
Commit f0faed09 authored 3 years ago by Bertrand Goareguer Committed by Pierre Smeyers 3 years ago
--- a/README.md
+++ b/README.md
@@ -228,6 +228,21 @@ It is bound to the `test` stage, and uses the following variables:

 This job outputs a **textual report** in the console, and in case of failure also exports a JSON report in the `reports/`
 directory _(relative to project root dir)_.
+
+### `py-trivy` job (dependency check)
+
+This job is **disabled by default** and performs a dependency check analysis using [Trivy](https://github.com/aquasecurity/trivy/).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name             | description                                                             | default value     |
+| ---------------- | ----------------------------------------------------------------------- | ----------------- |
+| `PYTHON_TRIVY_ENABLED` | Set to `true` to enable Trivy job                                           | _none_ (disabled) |
+| `PYTHON_TRIVY_ARGS`    | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--vuln-type library`   |
+
+This job outputs a **textual report** in the console, and in case of failure also exports a JSON report in the `reports/`
+directory _(relative to project root dir)_.
+
 ### Package jobs

 #### `py-package` job

--- a/kicker.json
+++ b/kicker.json
@@ -147,6 +147,20 @@
        }
      ]
    },
+    {
+      "id": "trivy",
+      "name": "Trivy",
+      "description": "Detect security vulnerabilities with [Trivy](https://github.com/aquasecurity/trivy/) (dependencies analysis)",
+      "enable_with": "PYTHON_TRIVY_ENABLED",
+      "variables": [
+        {
+          "name": "PYTHON_TRIVY_ARGS",
+          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",
+          "default": "--vuln-type library",
+          "advanced": true
+        }
+      ]
+    },
    {
      "id": "package",
      "name": "package",

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -36,6 +36,11 @@ variables:
  # Safety tool
  SAFETY_ARGS: "--full-report"

+  # Trivy tool
+  PYTHON_TRIVY_IMAGE: aquasec/trivy:latest
+  PYTHON_TRIVY_ARGS: "--vuln-type library"
+
+
  # Docs
  DOCS_REQUIREMENTS_FILE: docs-requirements.txt
  DOCS_DIRECTORY: docs
@@ -583,6 +588,49 @@ py-safety:
    - if: '$SAFETY_ENABLED == "true"'
      when: manual
      allow_failure: true
+
+# Trivy (dependency check)
+# Trivy only works if all dependencies are pinned to specific versions (e.g. with a poetry.lock file or a requirements.txt with all versions pinned)
+py-trivy:
+  extends: .python-base
+  image:
+    name: $PYTHON_TRIVY_IMAGE
+    entrypoint: [""]
+  stage: test
+  # force no dependencies
+  dependencies: []
+  script:
+    - mkdir -p reports
+    - chmod o+rwx reports
+    - |
+      if [ $(trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 $PYTHON_PROJECT_DIR | grep -c "Number of language-specific files: 0") -eq 1 ]; then
+        log_error "Could not find a file listing all dependencies with their versions."
+        exit 1
+      fi
+      trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 $PYTHON_PROJECT_DIR
+      trivy fs ${PYTHON_TRIVY_ARGS} --format json --output reports/trivy-python.json --exit-code 1 $PYTHON_PROJECT_DIR
+  
+  artifacts:
+    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 day
+    when: always
+    paths:
+      - $PYTHON_PROJECT_DIR/reports/
+  rules:
+    # exclude merge requests
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    # on production branch(es): if $TRIVY_ENABLED is set
+    # exclude if $PYTHON_TRIVY_ENABLED not set
+    - if: '$PYTHON_TRIVY_ENABLED != "true"'
+      when: never
+    # on production or integration branches: auto
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+    # on non-production, non-integration branches: manual & non-blocking
+    - if: '$PYTHON_TRIVY_ENABLED == "true"' # useless but prevents GitLab warning
+      when: manual
+      allow_failure: true
+
 ###############################################################################################
 #                                      package stage                                           #
 ###############################################################################################