linuxoid69/test.yaml

## test.yaml
container_scanning:
  stage: test
  image:
    name: docker.io/aquasec/trivy:latest
    entrypoint: [""]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - time trivy image --clear-cache
    # update vulnerabilities db
    - time trivy image --download-db-only --no-progress --cache-dir .trivycache/
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - time trivy image --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/junit.tpl"
                       --output "$CI_PROJECT_DIR/gl-container-scanning-report.xml" "$FULL_IMAGE_NAME"
    # Prints full report
    - time trivy image --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - time trivy image --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  artifacts:
    when: always
    reports:
      junit: gl-container-scanning-report.xml
	container_scanning:
	stage: test
	image:
	name: docker.io/aquasec/trivy:latest
	entrypoint: [""]
	variables:
	# No need to clone the repo, we exclusively work on artifacts. See
	# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
	GIT_STRATEGY: none
	TRIVY_USERNAME: "$CI_REGISTRY_USER"
	TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
	TRIVY_AUTH_URL: "$CI_REGISTRY"
	FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
	script:
	- trivy --version
	# cache cleanup is needed when scanning images with the same tags, it does not remove the database
	- time trivy image --clear-cache
	# update vulnerabilities db
	- time trivy image --download-db-only --no-progress --cache-dir .trivycache/
	# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
	- time trivy image --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/junit.tpl"
	--output "$CI_PROJECT_DIR/gl-container-scanning-report.xml" "$FULL_IMAGE_NAME"
	# Prints full report
	- time trivy image --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
	# Fail on critical vulnerabilities
	- time trivy image --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
	cache:
	paths:
	- .trivycache/
	# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
	artifacts:
	when: always
	reports:
	junit: gl-container-scanning-report.xml