paul/gilde-ci-cd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'cve_repo_scanner' into 'master'

Browse Source 
feat(CVE-Scanner Repo): Add Repo scanner ci definition.

See merge request gilden/ci/gitlab-ci-templates!57
This commit is contained in:
Marcel Feix 2022-03-04 12:05:15 +00:00
commit 8a8c293341
4 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitlab-ci.yml
View File

@ -43,6 +43,7 @@ pages:
FILE_INPUT: "index.html,107524048,CI Templates" FILE_INPUT: "index.html,107524048,CI Templates"
extends: .pages-template extends: .pages-template
.release-template: .release-template:
trigger: trigger:
include: pipelines/update-version-pipeline.gitlab-ci.yml include: pipelines/update-version-pipeline.gitlab-ci.yml

30
documentation/chapters/templates/repo-cve-scan.adoc Normal file
View File

@ -0,0 +1,30 @@
:sourcedir: ../../../
= Repo-CVE-Scan
Scanned die gesamte Repo mit Trivy auf CVEs und Konfigurationsproblemen in Deployment files.
.Variables
|===
|Name |Description | Default Value
|EXITCODE
| Definiert den Exitcode der benutzt wird, wenn Trivy Probleme findet.
Bei 0 läuft die Pipeline durch, auch wenn Probleme gefunden werden.
Überlege, ob du die Flag `allow_failure: false` benutzen willst.
| 1
|TRIVY_EXTRA_ARGS
| Weitere Argumente die du an Trivy übergeben kannst.
| --no-progress --ignore-unfixed --severity HIGH,CRITICAL
|SCAN_PATH
| Der Path ab dem Trivy die Repo scannen soll.
| Root der Repository
|===
.Repo CVE scan template
[source, yaml]
----
include::{sourcedir}/repo-cve-scan.gitlab-ci.yml[]
----

4
documentation/document.adoc
View File

@ -83,6 +83,10 @@ Sollte dieser noch nicht vorhanden sein kann er mit dem Befehl `gradle wrapper`
include::chapters/templates/gradle-build-template.adoc[leveloffset=2] include::chapters/templates/gradle-build-template.adoc[leveloffset=2]
include::chapters/templates/gradle-test-template.adoc[leveloffset=2] include::chapters/templates/gradle-test-template.adoc[leveloffset=2]
== Misc
include::chapters/templates/repo-cve-scan.adoc[leveloffset=2]
== Weitere Gilden-Tools == Weitere Gilden-Tools
include::chapters/templates/tool-sonar7.adoc[leveloffset=2] include::chapters/templates/tool-sonar7.adoc[leveloffset=2]

20
repo-cve-scan.gitlab-ci.yml Normal file
View File

@ -0,0 +1,20 @@
.repo_cve_scan:
image:
name: docker.io/aquasec/trivy:0.24.2
entrypoint: [ "" ]
stage: test
needs: []
variables:
EXITCODE: 1
TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL"
SCAN_PATH: "."
cache:
paths:
- .trivycache/
artifacts:
reports:
junit: junit-report.xml
script:
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there
- trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks vuln,config --format template --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH
- trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks vuln,config $SCAN_PATH