Merge branch 'add-trivy-scanner' into 'master'

Add Trivy scanner stage

See merge request erichardson/py-eagle-mqtt!3

.gitlab-ci.yml

@@ -95,6 +95,7 @@ include:
 - template: Security/SAST.gitlab-ci.yml
 
 sonarqube-check:
+  stage: test
   image: 
     name: sonarsource/sonar-scanner-cli:latest
     entrypoint: [""]
@@ -110,3 +111,30 @@ sonarqube-check:
   allow_failure: true
   only:
     - master # or the name of your main branch
+    - branches
+
+trivy:
+  stage: test
+  extends:
+    - .docker_base
+  before_script:
+    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+    - echo $TRIVY_VERSION
+    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
+  allow_failure: true
+  script:
+    # Build image
+    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ./Docker/
+    # Build report
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+    # Print report
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+    # Fail on severe vulnerabilities
+    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+  cache:
+    paths:
+      - .trivycache/
+  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json