Initial GitLab CI template to deeply integrated with GitLab Container…

… Scanning Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
aquasecurity · Jan 23, 2020 · a3972fd · a3972fd
1 parent 4a7fb52
commit a3972fd
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/contrib/Trivy.gitlab-ci.yml b/contrib/Trivy.gitlab-ci.yml
@@ -0,0 +1,28 @@
+Trivy_container_scanning:
+  stage: test
+  image:
+    name: alpine
+  variables:
+    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
+    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # for details
+    GIT_STRATEGY: none
+    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
+  allow_failure: true
+  before_script:
+    - apk add --no-cache curl docker-cli
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
+    - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/master/contrib/gitlab.tpl
+  script:
+    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  dependencies: []
+  only:
+    refs:
+      - branches