-
Notifications
You must be signed in to change notification settings - Fork 4
/
repository-scanning.gitlab-ci.yml
29 lines (28 loc) · 1.18 KB
/
repository-scanning.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
variables:
ENVIRONMENT: $CI_COMMIT_REF_SLUG
ISSUE_ACCESS_TOKEN: $CI_ISSUE_TOKEN
SLACK_TOKEN: $CI_SLACK_TOKEN
.repository-scanning:
image:
name: codeflixde/csi-red-alert:latest
entrypoint: [ ""]
script:
- trivy --version
# update vulnerabilities db
- time trivy --download-db-only --no-progress --cache-dir .trivycache/
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
- time trivy filesystem --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/gl-repository-scanning-report.json" ./
# Prints full report
- time trivy filesystem --exit-code 0 --no-progress ./
# Notify about fixable vulnerabilities
- node /app/main.js -f "$CI_PROJECT_DIR/gl-repository-scanning-report.json" -e $ENVIRONMENT -c sourceCode -i $CI_PROJECT_PATH
# Fails on high and critical vulnerabilities
- time trivy filesystem --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL --no-progress ./
allow_failure: true
artifacts:
reports:
dependency_scanning: gl-repository-scanning-report.json
cache:
paths:
- .trivycache/