.repo-cve-scan-trivy:
  image:
    name: docker.io/aquasec/trivy:0.30.4
    entrypoint: [ "" ]
  stage: verify
  needs: []
  variables:
    SCAN_PATH: $CI_PROJECT_DIR
    EXITCODE: 1
    TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL"
    TRIVY_CKECKS: "vuln,config,secret"
  cache:
    paths:
      - .trivycache/
  artifacts:
    reports:
      junit: junit-report.xml
  script:
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there
    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks $TRIVY_CKECKS --format template  --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH
    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks $TRIVY_CKECKS $SCAN_PATH