trivy.yml

spec:
  inputs:
    stage:
      description: 'The stage to run Trivy scan'
      type: string
      default: 'scan'
    image_name:
      description: 'The image name to scan'
      type: string
      default: '$CI_REGISTRY_IMAGE'
    image_tag:
      description: 'The image tag to scan'
      type: string
      default: '$CI_COMMIT_SHORT_SHA'
---

trivy:
  image:
    name: docker.io/aquasec/trivy:latest
    entrypoint: [""]
  stage: $[[ inputs.stage ]]
  variables:
    # Exclude built-in rubygems
    TRIVY_OPTIONS: --skip-dirs /usr/local/lib/ruby/gems
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: "$[[ inputs.image_name | expand_vars ]]:$[[ inputs.image_tag | expand_vars ]]"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
  cache:
    key: trivy-shared
    paths:
      - .trivycache/
  needs:
    - docker
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - time trivy clean --scan-cache
    # update vulnerabilities db
    - time trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - time trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
        --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
        --timeout 15m
    # Prints full report
    - time trivy image --exit-code 0 "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - time trivy image --exit-code 1 --skip-java-db-update $TRIVY_OPTIONS --severity CRITICAL "$FULL_IMAGE_NAME"
  interruptible: true
  artifacts:
    when:
    reports:
      container_scanning: gl-container-scanning-report.json
  rules:
    - if: '$CI_COMMIT_TAG'