paul/gilde-ci-cd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Feat/cve scan add cachedir and junit report

Browse Source
This commit is contained in:
Fabian Widmann 2021-07-05 07:45:28 +00:00 committed by Marcel Feix
parent 771785ef5c
commit d2ac295a76
1 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
container-scan.yml
View File

@ -3,16 +3,23 @@
stage: test stage: test
variables: variables:
TRIVY_VERSION: 0.18.3 TRIVY_VERSION: 0.18.3
EXITCODE_ON_HIGH: 1 EXITCODE_ON_HIGH: 1
EXITCODE_ON_CRITICAL: 1 EXITCODE_ON_CRITICAL: 1
before_script: before_script:
- curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" --output trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz - curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" --output trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
script: script:
- mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests - mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests
- ./trivy --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input target/jib-image.tar - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar
- ./trivy --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input target/jib-image.tar - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input target/jib-image.tar
- ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input target/jib-image.tar
cache:
paths:
- .trivycache/
artifacts:
reports:
junit: junit-report.xml
.scan-container-kaniko: .scan-container-kaniko:
stage: test stage: test
image: image:
@ -23,12 +30,19 @@
PROJECT_DIR: $CI_PROJECT_DIR PROJECT_DIR: $CI_PROJECT_DIR
DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile
CONTEXT_LOCATION: $CI_PROJECT_DIR CONTEXT_LOCATION: $CI_PROJECT_DIR
EXITCODE_ON_HIGH: 1 EXITCODE_ON_HIGH: 1
EXITCODE_ON_CRITICAL: 1 EXITCODE_ON_CRITICAL: 1
before_script: before_script:
- wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
- tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
script: script:
- /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image
- ./trivy --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input image.tar - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar
- ./trivy --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input image.tar - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH --no-progress --auto-refresh --input image.tar
- ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_CRITICAL --severity CRITICAL --no-progress --auto-refresh --input image.tar
cache:
paths:
- .trivycache/
artifacts:
reports:
junit: junit-report.xml