Commit 67bf3380 authored by Bengt Giger's avatar Bengt Giger
Browse files

Drop trivy completely

parent a031c083
Pipeline #137218 passed with stages
in 5 minutes and 3 seconds
......@@ -25,48 +25,6 @@ variables:
# we use $CI_JOB_TOKEN here which is a special token provided by GitLab
- echo -n $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
Trivy scan:
stage: test
# image: docker:stable
tags:
- k8s-runner
image:
name: docker.io/aquasec/trivy:latest
entrypoint: [""]
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
GIT_STRATEGY: none
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
TRIVY_AUTH_URL: "$CI_REGISTRY"
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
script:
- trivy --version
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
- time trivy image --clear-cache
# update vulnerabilities db
- time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
- time trivy --cache-dir .trivycache/ image --security-checks vuln --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
# Prints full report
- time trivy --cache-dir .trivycache/ image --security-checks vuln --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
# Fails on high and critical vulnerabilities
# Backported in Ubuntu 20.04
- echo "CVE-2019-0228" > .trivyignore
- time trivy --cache-dir .trivycache/ image --security-checks vuln --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
cache:
paths:
- .trivycache/
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
when: always
reports:
container_scanning: gl-container-scanning-report.json
Build tag:
# Build for a tag: write the tag, so the app can read and display the version
before_script:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment