From bc31fc21564ef08590266f81bec7710382712bed Mon Sep 17 00:00:00 2001 From: Marcel Feix Date: Fri, 18 Feb 2022 21:12:42 +0100 Subject: [PATCH] feat(CVE-Scanner Repo): Add Repo scanner ci definition. --- repo-cve-scan.gitlab-ci.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 repo-cve-scan.gitlab-ci.yml diff --git a/repo-cve-scan.gitlab-ci.yml b/repo-cve-scan.gitlab-ci.yml new file mode 100644 index 0000000..2baef93 --- /dev/null +++ b/repo-cve-scan.gitlab-ci.yml @@ -0,0 +1,20 @@ +.repo_cve_scan: + image: + name: docker.io/aquasec/trivy:0.23.0 + entrypoint: [ "" ] + stage: test + needs: [] + variables: + EXITCODE: 1 + TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL" + SCAN_PATH: "." + cache: + paths: + - .trivycache/ + artifacts: + reports: + junit: junit-report.xml + script: + # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there + - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks vuln,config --format template --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH + - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks vuln,config $SCAN_PATH