Merge branch 'cve_repo_scanner' into 'master'

feat(CVE-Scanner Repo): Add Repo scanner ci definition. See merge request gilden/ci/gitlab-ci-templates!57
2022-03-04 12:05:15 +00:00 · 2022-03-04 12:05:15 +00:00 · 8a8c293341
commit 8a8c293341
parent 6f42a0c2e4 c354de2e56
4 changed files with 55 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -43,6 +43,7 @@ pages:
    FILE_INPUT: "index.html,107524048,CI Templates"
  extends: .pages-template

+
 .release-template:
  trigger:
    include: pipelines/update-version-pipeline.gitlab-ci.yml
--- a/documentation/chapters/templates/repo-cve-scan.adoc
+++ b/documentation/chapters/templates/repo-cve-scan.adoc
@ -0,0 +1,30 @@
+:sourcedir: ../../../
+
+= Repo-CVE-Scan
+
+Scanned die gesamte Repo mit Trivy auf CVEs und Konfigurationsproblemen in Deployment files.
+
+.Variables
+|===
+|Name |Description | Default Value
+|EXITCODE
+| Definiert den Exitcode der benutzt wird, wenn Trivy Probleme findet.
+Bei 0 läuft die Pipeline durch, auch wenn Probleme gefunden werden.
+Überlege, ob du die Flag `allow_failure: false` benutzen willst.
+| 1
+
+|TRIVY_EXTRA_ARGS
+| Weitere Argumente die du an Trivy übergeben kannst.
+| --no-progress --ignore-unfixed --severity HIGH,CRITICAL
+
+|SCAN_PATH
+| Der Path ab dem Trivy die Repo scannen soll.
+| Root der Repository
+
+|===
+
+.Repo CVE scan template
+[source, yaml]
+----
+include::{sourcedir}/repo-cve-scan.gitlab-ci.yml[]
+----
--- a/documentation/document.adoc
+++ b/documentation/document.adoc
@ -83,6 +83,10 @@ Sollte dieser noch nicht vorhanden sein kann er mit dem Befehl `gradle wrapper`
 include::chapters/templates/gradle-build-template.adoc[leveloffset=2]
 include::chapters/templates/gradle-test-template.adoc[leveloffset=2]

+== Misc
+
+include::chapters/templates/repo-cve-scan.adoc[leveloffset=2]
+
 == Weitere Gilden-Tools

 include::chapters/templates/tool-sonar7.adoc[leveloffset=2]
--- a/repo-cve-scan.gitlab-ci.yml
+++ b/repo-cve-scan.gitlab-ci.yml
@ -0,0 +1,20 @@
+.repo_cve_scan:
+  image:
+    name: docker.io/aquasec/trivy:0.24.2
+    entrypoint: [ "" ]
+  stage: test
+  needs: []
+  variables:
+    EXITCODE: 1
+    TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL"
+    SCAN_PATH: "."
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      junit: junit-report.xml
+  script:
+    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there
+    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks vuln,config --format template  --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH
+    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks vuln,config $SCAN_PATH