diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f5f5e6909186a4871e0a6c7028fed8b353bf6bcb..4389c7bba2da9761f5fd4315685fd7616f6da358 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,7 @@ include:
stages:
- lint
- build
+ - test
- changelog
- release
diff --git a/images/.utils/gitlab-ci.yaml b/images/.utils/gitlab-ci.yaml
index 2a220de0253e8021701b8497ac4f06a2d33739cc..3dd935093575e8f8dadf49c71e05183c4f0c1822 100644
--- a/images/.utils/gitlab-ci.yaml
+++ b/images/.utils/gitlab-ci.yaml
@@ -67,3 +67,51 @@ container-build-dev:
compare_to: main
tags:
- hetzner
+
+stages:
+ - test
+
+container-trivy-scan:
+ stage: test
+ extends: .container-matrix
+ image:
+ name: docker.io/aquasec/trivy:0.37.3
+ entrypoint: []
+ services:
+ - name: docker:dind
+ entrypoint: ["env", "-u", "DOCKER_HOST"]
+ command: ["dockerd-entrypoint.sh"]
+ variables:
+ DOCKER_HOST: tcp://docker:2375/
+ DOCKER_DRIVER: overlay2
+ # See https://github.com/docker-library/docker/pull/166
+ DOCKER_TLS_CERTDIR: ""
+ IMAGE: "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_SHORT_SHA}"
+ TRIVY_NO_PROGRESS: "true"
+ TRIVY_CACHE_DIR: ".trivycache/"
+ allow_failure: true
+ script:
+ # Image report
+ - trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+ # Filesystem report
+ - trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+ # Combine report
+ - apk update && apk add jq
+ - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
+ cache:
+ paths:
+ - .trivycache/
+ artifacts:
+ paths:
+ - gl-codeclimate.json
+ reports:
+ codequality: gl-codeclimate.json
+ rules:
+ - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
+ changes:
+ paths:
+ - images/${IMAGE}/**/*
+ - images/.utils/*
+ compare_to: main
+ tags:
+ - hetzner