Pour tout problème contactez-nous par mail : support@froggit.fr | La FAQ :grey_question: | Rejoignez-nous sur le Chat :speech_balloon:

Skip to content
Snippets Groups Projects
Commit 0a795662 authored by Benoît's avatar Benoît
Browse files

add VEX for trivy

parent 84045b37
No related branches found
No related tags found
No related merge requests found
......@@ -40,7 +40,7 @@ include:
for digest in $(cat image-digest-${ARCH}.txt); do
echo "Scanning image digest ${digest}"
skopeo inspect docker://${digest}
trivy image --output /tmp/image.sbom --format cosign-vuln --ignore-unfixed --severity HIGH,CRITICAL ${digest}
trivy image --output /tmp/image.sbom --format cosign-vuln --ignore-unfixed --vex repo --severity HIGH,CRITICAL ${digest}
cosign attest -y --key hashivault://cosign --predicate /tmp/image.sbom --type=vuln ${digest}
trivy image -f cyclonedx -o sbom.cdx.json ${digest}
cosign attest -y --key hashivault://cosign --type cyclonedx --predicate sbom.cdx.json ${digest}
......
......@@ -50,12 +50,14 @@ include:
trivy image ${TRIVY_OPTS} \
--exit-code 0 \
--severity HIGH,CRITICAL \
--vex repo --show-suppressed \
${CS_IMAGE}-${ARCH}
- |
echo -e "Generate CVE report for Gitlab"
trivy image ${TRIVY_OPTS} \
--exit-code 0 \
--severity HIGH,CRITICAL \
--vex repo \
--format template \
--template "@/usr/local/share/trivy/templates/gitlab.tpl" \
-o gl-container-scanning-report.json \
......@@ -65,6 +67,7 @@ include:
trivy image ${TRIVY_OPTS} \
--exit-code 0 \
--severity HIGH,CRITICAL \
--vex repo \
--format cosign-vuln \
-o cosign-vuln.json \
${CS_IMAGE}-${ARCH}
......@@ -73,6 +76,7 @@ include:
trivy image ${TRIVY_OPTS} \
--exit-code 0 \
--severity HIGH,CRITICAL \
--vex repo \
--format cyclonedx \
-o sbom.cdx.json \
${CS_IMAGE}-${ARCH}
......@@ -81,6 +85,7 @@ include:
trivy image ${TRIVY_OPTS} \
--exit-code 1 \
--severity CRITICAL \
--vex repo --show-suppressed \
${CS_IMAGE}-${ARCH}
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment