22 lines
873 B
YAML
22 lines
873 B
YAML
.repo-cve-scan-trivy:
|
|
image:
|
|
name: docker.io/aquasec/trivy:0.30.3
|
|
entrypoint: [ "" ]
|
|
stage: verify
|
|
needs: []
|
|
variables:
|
|
SCAN_PATH: $CI_PROJECT_DIR
|
|
EXITCODE: 1
|
|
TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL"
|
|
TRIVY_CKECKS: "vuln,config,secret"
|
|
cache:
|
|
paths:
|
|
- .trivycache/
|
|
artifacts:
|
|
reports:
|
|
junit: junit-report.xml
|
|
script:
|
|
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there
|
|
- trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks $TRIVY_CKECKS --format template --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH
|
|
- trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks $TRIVY_CKECKS $SCAN_PATH
|