github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/tutorials/integrations/gitlab-ci.md (about) 1 # GitLab CI 2 3 GitLab 15.0 includes [free](https://gitlab.com/groups/gitlab-org/-/epics/2233) integration with Trivy. 4 5 To [configure container scanning with Trivy in GitLab](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration), simply include the CI template in your `.gitlab-ci.yml` file: 6 7 ```yaml 8 include: 9 - template: Security/Container-Scanning.gitlab-ci.yml 10 ``` 11 12 If you're a GitLab 14.x Ultimate customer, you can use the same configuration above. 13 14 Alternatively, you can always use the example configurations below. 15 16 ```yaml 17 stages: 18 - test 19 20 trivy: 21 stage: test 22 image: docker:stable 23 services: 24 - name: docker:dind 25 entrypoint: ["env", "-u", "DOCKER_HOST"] 26 command: ["dockerd-entrypoint.sh"] 27 variables: 28 DOCKER_HOST: tcp://docker:2375/ 29 DOCKER_DRIVER: overlay2 30 # See https://github.com/docker-library/docker/pull/166 31 DOCKER_TLS_CERTDIR: "" 32 IMAGE: trivy-ci-test:$CI_COMMIT_SHA 33 TRIVY_NO_PROGRESS: "true" 34 TRIVY_CACHE_DIR: ".trivycache/" 35 before_script: 36 - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/devseccon/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') 37 - echo $TRIVY_VERSION 38 - wget --no-verbose https://github.com/devseccon/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf - 39 allow_failure: true 40 script: 41 # Build image 42 - docker build -t $IMAGE . 43 # Build report 44 - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE 45 # Print report 46 - ./trivy image --exit-code 0 --severity HIGH $IMAGE 47 # Fail on severe vulnerabilities 48 - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE 49 cache: 50 paths: 51 - .trivycache/ 52 # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) 53 artifacts: 54 reports: 55 container_scanning: gl-container-scanning-report.json 56 ``` 57 58 [Example][example] 59 [Repository][repository] 60 61 ### GitLab CI using Trivy container 62 63 To scan a previously built image that has already been pushed into the 64 GitLab container registry the following CI job manifest can be used. 65 Note that `entrypoint` needs to be unset for the `script` section to work. 66 In case of a non-public GitLab project Trivy additionally needs to 67 authenticate to the registry to be able to pull your application image. 68 Finally, it is not necessary to clone the project repo as we only work 69 with the container image. 70 71 ```yaml 72 container_scanning: 73 image: 74 name: docker.io/aquasec/trivy:latest 75 entrypoint: [""] 76 variables: 77 # No need to clone the repo, we exclusively work on artifacts. See 78 # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy 79 GIT_STRATEGY: none 80 TRIVY_USERNAME: "$CI_REGISTRY_USER" 81 TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD" 82 TRIVY_AUTH_URL: "$CI_REGISTRY" 83 TRIVY_NO_PROGRESS: "true" 84 TRIVY_CACHE_DIR: ".trivycache/" 85 FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG 86 script: 87 - trivy --version 88 # cache cleanup is needed when scanning images with the same tags, it does not remove the database 89 - time trivy image --clear-cache 90 # update vulnerabilities db 91 - time trivy image --download-db-only 92 # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there 93 - time trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl" 94 --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME" 95 # Prints full report 96 - time trivy image --exit-code 0 "$FULL_IMAGE_NAME" 97 # Fail on critical vulnerabilities 98 - time trivy image --exit-code 1 --severity CRITICAL "$FULL_IMAGE_NAME" 99 cache: 100 paths: 101 - .trivycache/ 102 # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) 103 artifacts: 104 when: always 105 reports: 106 container_scanning: gl-container-scanning-report.json 107 tags: 108 - docker-runner 109 ``` 110 111 [example]: https://gitlab.com/devseccon/trivy-ci-test/pipelines 112 [repository]: https://github.com/devseccon/trivy-ci-test 113 114 ### GitLab CI alternative template 115 116 Depending on the edition of gitlab you have or your desired workflow, the 117 container scanning template may not meet your needs. As an addition to the 118 above container scanning template, a template for 119 [code climate](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html) 120 has been included. The key things to update from the above examples are 121 the `template` and `report` type. An updated example is below. 122 123 ```yaml 124 stages: 125 - test 126 127 trivy: 128 stage: test 129 image: docker:stable 130 services: 131 - name: docker:dind 132 entrypoint: ["env", "-u", "DOCKER_HOST"] 133 command: ["dockerd-entrypoint.sh"] 134 variables: 135 DOCKER_HOST: tcp://docker:2375/ 136 DOCKER_DRIVER: overlay2 137 # See https://github.com/docker-library/docker/pull/166 138 DOCKER_TLS_CERTDIR: "" 139 IMAGE: trivy-ci-test:$CI_COMMIT_SHA 140 TRIVY_NO_PROGRESS: "true" 141 TRIVY_CACHE_DIR: ".trivycache/" 142 before_script: 143 - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/devseccon/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') 144 - echo $TRIVY_VERSION 145 - wget --no-verbose https://github.com/devseccon/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf - 146 allow_failure: true 147 script: 148 # Build image 149 - docker build -t $IMAGE . 150 # Image report 151 - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE 152 # Filesystem report 153 - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json . 154 # Combine report 155 - apk update && apk add jq 156 - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json 157 cache: 158 paths: 159 - .trivycache/ 160 # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold) 161 artifacts: 162 paths: 163 - gl-codeclimate.json 164 reports: 165 codequality: gl-codeclimate.json 166 ``` 167 168 Currently gitlab only supports a single code quality report. There is an 169 open [feature request](https://gitlab.com/gitlab-org/gitlab/-/issues/9014) 170 to support multiple reports. Until this has been implemented, if you 171 already have a code quality report in your pipeline, you can use 172 `jq` to combine reports. Depending on how you name your artifacts, it may 173 be necessary to rename the artifact if you want to reuse the name. To then 174 combine the previous artifact with the output of trivy, the following `jq` 175 command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`. 176 177 ### GitLab CI alternative template example report 178 179 You'll be able to see a full report in the GitLab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead. 180 181 