New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib: Add GitLab CI template to deeply integrated with GitLab Container Scanning #376
Conversation
56cc6ab
to
638f1c3
Compare
@tnir Thank you for the awesome contribution! We'll have a look soon. |
df726fe
to
94f3782
Compare
ac7e701
to
a3972fd
Compare
Templating does looks working well: https://gitlab.com/tnir/trivy-ci-test/-/jobs/412246842 |
contrib/Trivy.gitlab-ci.yml
Outdated
- apk add --no-cache curl docker-cli | ||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY | ||
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin | ||
- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/master/contrib/gitlab.tpl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way we could not fetch this from master? If the template changes and the downloaded binary does not support it, this could cause incompatibilities.
Maybe we can parse $(trivy --version) and pull from the tag instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right. We should use environment variables to fix. With environment variables with the default value of Trivy version, (GitLab CI) users can inject arbitrary version of (Trivy-GitLab) template, which will reduce regression and be helpful for users of non-latest version GitLab.
a3972fd
to
783eace
Compare
Task list was moved to the description of the PR. |
04b9c09
to
8f0d8ac
Compare
8f0d8ac
to
132b375
Compare
… Scanning Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
132b375
to
350a96e
Compare
Thanks! Awesome work! |
… Scanning (aquasecurity#376) Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
… Scanning (#376) Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
Co-authored-by: Liam Galvin <liam.galvin@aquasec.com>
Adds GitLab CI template with deep integration with GitLab Container Scanning (report) (part of GitLab Security Product)
cf. https://gitlab.com/gitlab-org/gitlab/blob/f156adcec4c48d304128f2a4a8987f9ad6408591/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
TODO
alpine
version to3.11
- export TRIVY_VERSION_FOR_TEMPLATE=${TRIVY_VERSION_FOR_TEMPLATE:-v0.4.3}
s!tnir/trivy!aquasecurity/trivy!
after Modify template for GitLab Container Scanning #387 gets merged