Build a Docker container and then scan it with Aquasec Trivy in GitLab CI. Fail for HIGH and CRITICAL findings.
| trivy: | |
| tags: | |
| - kubernetes | |
| stage: test | |
| image: docker:stable | |
| services: | |
| - name: docker:dind | |
| entrypoint: ["env", "-u", "DOCKER_HOST"] | |
| command: ["dockerd-entrypoint.sh"] | |
| variables: | |
| DOCKER_HOST: tcp://docker:2375/ | |
| DOCKER_DRIVER: overlay2 | |
| # See https://github.com/docker-library/docker/pull/166 | |
| DOCKER_TLS_CERTDIR: "" | |
| IMAGE: trivy-ci-test:$CI_COMMIT_SHA | |
| before_script: | |
| - apk add --no-cache curl | |
| - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') | |
| - echo $VERSION | |
| - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz | |
| - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz | |
| allow_failure: true | |
| script: | |
| # Build image | |
| - docker build -t $IMAGE . | |
| # Build report | |
| - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE | |
| # Print report | |
| - ./trivy --exit-code 1 --cache-dir .trivycache/ --no-progress --severity HIGH,CRITICAL $IMAGE | |
| cache: | |
| paths: | |
| - .trivycache/ | |
| # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) | |
| artifacts: | |
| reports: | |
| container_scanning: gl-container-scanning-report.json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment