Improve trivy scan

633de3f6 · Benoît · bc45d5fa · 633de3f6
Commit 633de3f6 authored 11 months ago by Benoît
--- a/container/test.yaml
+++ b/container/test.yaml
@@ -19,16 +19,10 @@ include:
      - "reports/*"
 .tpl:container:test:cve:
-  # Requirements:
-  # - A `test` stage to be present in the pipeline.
-  # - You must define the image to be scanned in the CS_IMAGE variable. If CS_IMAGE is the
-  #   same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.
-  # - Container registry credentials defined by `CS_REGISTRY_USER` and `CS_REGISTRY_PASSWORD` variables if the
-  # image to be scanned is in a private registry.
-  # - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the
-  #   CS_DOCKERFILE_PATH variable.
-  image: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6$CS_IMAGE_SUFFIX"
  stage: scan
+  parallel:
+    matrix:
+      - ARCH: amd64
  before_script:
    - |
        if [[ -z "${CI_COMMIT_TAG}" ]]; then
@@ -39,40 +33,67 @@ include:
          export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
          export DOCKER_HUB_DESTINATION=captnbp/${IMAGE_NAME:-$CI_PROJECT_NAME}
        fi
-        export CI_IMAGE=${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}-amd64
+        export CI_IMAGE=${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
        export CS_IMAGE=${CI_IMAGE}
        echo "Destination image ${CI_IMAGE}"
  variables:
-    CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"
+    TRIVY_OPTS: --ignore-unfixed --show-suppressed
-    CS_SCHEMA_MODEL: 15
-    # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
-    # `.gitlab-ci.yml` file and set it to `fetch`.
-    # For details, see the following links:
-    # https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
-    # https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
-    GIT_STRATEGY: none
  allow_failure: true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
-      dependency_scanning: gl-dependency-scanning-report.json
+    paths: [gl-container-scanning-report.json, "cosign-vuln", ]
-    paths: [gl-container-scanning-report.json, gl-dependency-scanning-report.json, "**/gl-sbom-*.cdx.json"]
  dependencies: []
  script:
-    - gtcs scan
+    - |
+      echo -e "Check for High and Critical CVEs"
+      trivy image ${TRIVY_OPTS} \
+        --exit-code 0 \
+        --severity HIGH,CRITICAL \
+        ${CS_IMAGE}-${ARCH}
+    - |
+      echo -e "Generate CVE report for Gitlab"
+      trivy image ${TRIVY_OPTS} \
+        --exit-code 0 \
+        --severity HIGH,CRITICAL \
+        --format template \
+        --template "@/usr/local/share/trivy/templates/gitlab.tpl" \
+        -o gl-container-scanning-report.json \
+        ${CS_IMAGE}-${ARCH}
+    - |
+      echo -e "Generate Json Vuln report SBOM"
+      trivy image ${TRIVY_OPTS} \
+        --exit-code 0 \
+        --severity HIGH,CRITICAL \
+        --format cosign-vuln \
+        -o cosign-vuln.json \
+        ${CS_IMAGE}-${ARCH}
+    - |
+      echo -e "Generate CyncloneDX SBOM"
+      trivy image ${TRIVY_OPTS} \
+        --exit-code 0 \
+        --severity HIGH,CRITICAL \
+        --format cyclonedx \
+        -o sbom.cdx.json \
+        ${CS_IMAGE}-${ARCH}
+    - |
+      echo -e "Check for Critical CVEs (failed if found)"
+      trivy image ${TRIVY_OPTS} \
+        --exit-code 1 \
+        --severity CRITICAL \
+        ${CS_IMAGE}-${ARCH}
  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CONTAINER_SCANNING_DISABLED == 'true' || $CONTAINER_SCANNING_DISABLED == '1'
      when: never
-    - if: $CI_COMMIT_BRANCH &&
+    - if: $CI_COMMIT_BRANCH == "main"
-          $CI_GITLAB_FIPS_MODE == "true" &&
-          $CS_ANALYZER_IMAGE !~ /-(fips|ubi)\z/
-      variables:
-        CS_IMAGE_SUFFIX: -fips
-    - if: $CI_COMMIT_BRANCH
    - if: $CI_COMMIT_TAG
+    - when: never
 .tpl:container:test:mr-note:
  stage: scan
+  variables:
+    TRIVY_OPTS: --ignore-unfixed --show-suppressed
  parallel:
    matrix:
      - ARCH: amd64
@@ -91,12 +112,13 @@ include:
        export CS_IMAGE=${CI_IMAGE}
        echo "Destination image ${CI_IMAGE}"
  script:
-    - trivy image --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE}-${ARCH}
    - |
      if [[ -z "${CI_MERGE_REQUEST_IID}" ]]; then
        export CI_MERGE_REQUEST_IID=$(echo $CI_OPEN_MERGE_REQUESTS | cut -d'!' -f2)
      fi
-      trivy image --format template --template @/usr/local/share/trivy/templates/trivy-markdown-json.tpl --ignore-unfixed --severity HIGH,CRITICAL ${CS_IMAGE}-${ARCH} > /tmp/output.json
+      trivy image --format template --template @/usr/local/share/trivy/templates/trivy-markdown-json.tpl \
+        --severity HIGH,CRITICAL ${TRIVY_OPTS} \
+        ${CS_IMAGE}-${ARCH} > /tmp/output.json
      cat /tmp/output.json
      echo "Push a MR note with trivy result:"
      curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" --header "Content-Type: application/json" "https://lab.frogg.it/api/v4/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes" --data @/tmp/output.json