Skip to content
Snippets Groups Projects
Verified Commit f25719f6 authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

ci(trivy): Add trivy scan for all container images

parent 1f336dea
No related branches found
No related tags found
1 merge request!538ci(trivy): Add trivy scan for all container images
Pipeline #16842 failed
...@@ -5,6 +5,7 @@ include: ...@@ -5,6 +5,7 @@ include:
stages: stages:
- lint - lint
- build - build
- test
- changelog - changelog
- release - release
......
...@@ -67,3 +67,51 @@ container-build-dev: ...@@ -67,3 +67,51 @@ container-build-dev:
compare_to: main compare_to: main
tags: tags:
- hetzner - hetzner
stages:
- test
container-trivy-scan:
stage: test
extends: .container-matrix
image:
name: docker.io/aquasec/trivy:0.37.3
entrypoint: []
services:
- name: docker:dind
entrypoint: ["env", "-u", "DOCKER_HOST"]
command: ["dockerd-entrypoint.sh"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
# See https://github.com/docker-library/docker/pull/166
DOCKER_TLS_CERTDIR: ""
IMAGE: "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_SHORT_SHA}"
TRIVY_NO_PROGRESS: "true"
TRIVY_CACHE_DIR: ".trivycache/"
allow_failure: true
script:
# Image report
- trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
# Filesystem report
- trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
# Combine report
- apk update && apk add jq
- jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
cache:
paths:
- .trivycache/
artifacts:
paths:
- gl-codeclimate.json
reports:
codequality: gl-codeclimate.json
rules:
- if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
changes:
paths:
- images/${IMAGE}/**/*
- images/.utils/*
compare_to: main
tags:
- hetzner
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment