feat(cve): add option to ignore unfixable issues

container-scan.gitlab-ci.yml

@@ -28,14 +28,21 @@
     PROJECT_DIR: $CI_PROJECT_DIR
     DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile
     CONTEXT_LOCATION: $CI_PROJECT_DIR
+    IGNORE_UNFIXABLE: "true"
     EXITCODE: 1
   before_script:
     - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
     - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
   script:
     - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath  image.tar --no-push --destination image --skip-tls-verify
-    - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar
-    - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar
+    - >
+      if [ $IGNORE_UNFIXED = "true" ] ; then
+       ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar
+       ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar
+      else
+        ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar
+        ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar
+      fi
 
   cache:
     paths: