From f25719f6734010a0efac03c110efc410cef46085 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 27 Feb 2023 14:17:55 +0100
Subject: [PATCH] ci(trivy): Add trivy scan for all container images

---
 .gitlab-ci.yml               |  1 +
 images/.utils/gitlab-ci.yaml | 48 ++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f5f5e6909..4389c7bba 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,7 @@ include:
 stages:
   - lint
   - build
+  - test
   - changelog
   - release
 
diff --git a/images/.utils/gitlab-ci.yaml b/images/.utils/gitlab-ci.yaml
index 2a220de02..3dd935093 100644
--- a/images/.utils/gitlab-ci.yaml
+++ b/images/.utils/gitlab-ci.yaml
@@ -67,3 +67,51 @@ container-build-dev:
         compare_to: main
   tags:
     - hetzner
+
+stages:
+  - test
+
+container-trivy-scan:
+  stage: test
+  extends: .container-matrix
+  image:
+    name: docker.io/aquasec/trivy:0.37.3
+    entrypoint: []
+  services:
+    - name: docker:dind
+      entrypoint: ["env", "-u", "DOCKER_HOST"]
+      command: ["dockerd-entrypoint.sh"]
+  variables:
+    DOCKER_HOST: tcp://docker:2375/
+    DOCKER_DRIVER: overlay2
+    # See https://github.com/docker-library/docker/pull/166
+    DOCKER_TLS_CERTDIR: ""
+    IMAGE: "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_SHORT_SHA}"
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
+  allow_failure: true
+  script:
+    # Image report
+    - trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    # Filesystem report
+    - trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    # Combine report
+    - apk update && apk add jq
+    - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    paths:
+      - gl-codeclimate.json
+    reports:
+      codequality: gl-codeclimate.json
+  rules:
+    - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
+      changes:
+        paths:
+          - images/${IMAGE}/**/*
+          - images/.utils/*
+        compare_to: main
+  tags:
+    - hetzner
-- 
GitLab