From da20bbe045740f3e421d46e372f85ba3083a59a3 Mon Sep 17 00:00:00 2001 From: Evan Richardson Date: Sun, 9 May 2021 02:37:51 +0000 Subject: [PATCH] Add Trivy scanner stage --- .gitlab-ci.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8395dff..e09f074 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -95,6 +95,7 @@ include: - template: Security/SAST.gitlab-ci.yml sonarqube-check: + stage: test image: name: sonarsource/sonar-scanner-cli:latest entrypoint: [""] @@ -110,3 +111,30 @@ sonarqube-check: allow_failure: true only: - master # or the name of your main branch + - branches + +trivy: + stage: test + extends: + - .docker_base + before_script: + - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') + - echo $TRIVY_VERSION + - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf - + allow_failure: true + script: + # Build image + - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ./Docker/ + # Build report + - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA + # Print report + - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA + # Fail on severe vulnerabilities + - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA + cache: + paths: + - .trivycache/ + # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) + artifacts: + reports: + container_scanning: gl-container-scanning-report.json