Make vulnerabilities reporting optional (#1908)

.circleci/config.yml

@@ -36,6 +36,7 @@ jobs:
         type: string
       report_url:
         type: string
+        default: ""
     environment:
       SCAN_IMAGE: << parameters.docker_image >>
       SCAN_TOOL: Trivy
@@ -317,7 +318,6 @@ workflows:
     when:
       and:
         - << pipeline.parameters.scan-docker-images >>
-        - << pipeline.parameters.scan-docker-images-report-url >>
         - not: << pipeline.parameters.qa-release >>
     jobs:
       - trivy-scan-docker:

.circleci/config.yml.j2

@@ -34,6 +34,7 @@ jobs:
         type: string
       report_url:
         type: string
+        default: ""
     environment:
       SCAN_IMAGE: << parameters.docker_image >>
       SCAN_TOOL: Trivy
@@ -252,7 +253,6 @@ workflows:
     when:
       and:
         - << pipeline.parameters.scan-docker-images >>
-        - << pipeline.parameters.scan-docker-images-report-url >>
         - not: << pipeline.parameters.qa-release >>
     jobs:
       - trivy-scan-docker:

bin/trivy-scan.sh

@@ -10,9 +10,14 @@ GIT_ROOT="$(git -C "${0%/*}" rev-parse --show-toplevel)"
 GIT_RELEASE="$(git symbolic-ref -q --short HEAD || git describe --tags --exact-match)"
 scan_target="$1"
 ignore_file="$2"
+TRIVY_REPORT_FORMAT="json"
 
 set +exo pipefail
 
+if [ -z "$ASTRO_SEC_ENDPOINT" ]; then
+  TRIVY_REPORT_FORMAT="table"
+fi
+
 trivy \
   --cache-dir /tmp/workspace/trivy-cache \
   image \
@@ -21,7 +26,7 @@ trivy \
   --ignore-unfixed \
   --exit-code 1 \
   --no-progress \
-  --format json \
+  --format "${TRIVY_REPORT_FORMAT}" \
   "${scan_target}" >"${GIT_ROOT}/trivy-output.txt"
 exit_code=$?
 
@@ -31,7 +36,7 @@ cat "${GIT_ROOT}/trivy-output.txt"
 # - https://github.com/aquasecurity/trivy/issues/481 2020-04-30
 if grep -q -i 'OS is not detected' trivy-output.txt; then
   echo "Skipping the Trivy scan because of unsupported OS"
-elif [ "${exit_code}" -gt 0 ]; then
+elif [[ (-n "$ASTRO_SEC_ENDPOINT") && ("${exit_code}" -gt 0) ]]; then
 
   set -o xtrace