admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-13 12:13:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6db25dadaaca0339a0e07181eb41fcd373b62082
aquasecurity-trivy/dev/docs/integrations/gitlab-ci/index.html

3335 lines
78 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI">
<link rel="canonical" href="https://aquasecurity.github.io/trivy/dev/docs/integrations/gitlab-ci/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.2.9+insiders-4.12.0">
<title>GitLab CI - Trivy</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.25650c35.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/palette.9647289d.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#gitlab-ci" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--lifted" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="Trivy" class="md-header__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Trivy
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
GitLab CI
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href="../../.." class="md-tabs__link">
HOME
</a>
</li>
<li class="md-tabs__item">
<a href="../../../getting-started/overview/" class="md-tabs__link">
Getting started
</a>
</li>
<li class="md-tabs__item">
<a href="../../" class="md-tabs__link md-tabs__link--active">
Docs
</a>
</li>
<li class="md-tabs__item">
<a href="../../../community/tools/" class="md-tabs__link">
Community
</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="Trivy" class="md-nav__button md-logo" aria-label="Trivy" data-md-component="logo">
<img src="../../../imgs/logo-white.svg" alt="logo">
</a>
Trivy
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/trivy" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
<span class="md-ellipsis">
HOME
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
<span class="md-ellipsis">
Getting started
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../getting-started/overview/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/installation/" class="md-nav__link">
<span class="md-ellipsis">
Installation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/quickstart/" class="md-nav__link">
<span class="md-ellipsis">
Quick Start
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../getting-started/further/" class="md-nav__link">
<span class="md-ellipsis">
Further Reading
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked>
<label class="md-nav__link" for="__nav_3">
<span class="md-ellipsis">
Docs
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docs" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Docs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2" type="checkbox" id="__nav_3_2" >
<label class="md-nav__link" for="__nav_3_2">
<span class="md-ellipsis">
Vulnerability
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Vulnerability" data-md-level="2">
<label class="md-nav__title" for="__nav_3_2">
<span class="md-nav__icon md-icon"></span>
Vulnerability
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_1" type="checkbox" id="__nav_3_2_1" >
<label class="md-nav__link" for="__nav_3_2_1">
<span class="md-ellipsis">
Scanning
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Scanning" data-md-level="3">
<label class="md-nav__title" for="__nav_3_2_1">
<span class="md-nav__icon md-icon"></span>
Scanning
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/scanning/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/scanning/image/" class="md-nav__link">
<span class="md-ellipsis">
Container Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/scanning/filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/scanning/rootfs/" class="md-nav__link">
<span class="md-ellipsis">
Rootfs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/scanning/git-repository/" class="md-nav__link">
<span class="md-ellipsis">
Git Repository
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_2" type="checkbox" id="__nav_3_2_2" >
<label class="md-nav__link" for="__nav_3_2_2">
<span class="md-ellipsis">
Detection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Detection" data-md-level="3">
<label class="md-nav__title" for="__nav_3_2_2">
<span class="md-nav__icon md-icon"></span>
Detection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/detection/os/" class="md-nav__link">
<span class="md-ellipsis">
OS Packages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/detection/language/" class="md-nav__link">
<span class="md-ellipsis">
Language-specific Packages
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/detection/data-source/" class="md-nav__link">
<span class="md-ellipsis">
Data Sources
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/detection/supported/" class="md-nav__link">
<span class="md-ellipsis">
Supported
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_3" type="checkbox" id="__nav_3_2_3" >
<label class="md-nav__link" for="__nav_3_2_3">
<span class="md-ellipsis">
Examples
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Examples" data-md-level="3">
<label class="md-nav__title" for="__nav_3_2_3">
<span class="md-nav__icon md-icon"></span>
Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/examples/filter/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Filtering
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/examples/report/" class="md-nav__link">
<span class="md-ellipsis">
Report Formats
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/examples/db/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability DB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/examples/cache/" class="md-nav__link">
<span class="md-ellipsis">
Cache
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../vulnerability/examples/others/" class="md-nav__link">
<span class="md-ellipsis">
Others
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_4" type="checkbox" id="__nav_3_2_4" >
<label class="md-nav__link" for="__nav_3_2_4">
<span class="md-ellipsis">
Languages
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Languages" data-md-level="3">
<label class="md-nav__title" for="__nav_3_2_4">
<span class="md-nav__icon md-icon"></span>
Languages
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../vulnerability/languages/golang/" class="md-nav__link">
<span class="md-ellipsis">
Go
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3" type="checkbox" id="__nav_3_3" >
<label class="md-nav__link" for="__nav_3_3">
<span class="md-ellipsis">
Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Misconfiguration" data-md-level="2">
<label class="md-nav__title" for="__nav_3_3">
<span class="md-nav__icon md-icon"></span>
Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_1" type="checkbox" id="__nav_3_3_1" >
<label class="md-nav__link" for="__nav_3_3_1">
<span class="md-ellipsis">
Scanning
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Scanning" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_1">
<span class="md-nav__icon md-icon"></span>
Scanning
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/iac/" class="md-nav__link">
<span class="md-ellipsis">
Infrastructure as Code
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Filesystem
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_2" type="checkbox" id="__nav_3_3_2" >
<label class="md-nav__link" for="__nav_3_3_2">
<span class="md-ellipsis">
Policy
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Policy" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_2">
<span class="md-nav__icon md-icon"></span>
Policy
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../misconfiguration/policy/builtin/" class="md-nav__link">
<span class="md-ellipsis">
Built-in Policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/policy/exceptions/" class="md-nav__link">
<span class="md-ellipsis">
Exceptions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_3" type="checkbox" id="__nav_3_3_3" >
<label class="md-nav__link" for="__nav_3_3_3">
<span class="md-ellipsis">
Custom Policies
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Custom Policies" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_3">
<span class="md-nav__icon md-icon"></span>
Custom Policies
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/data/" class="md-nav__link">
<span class="md-ellipsis">
Data
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/combine/" class="md-nav__link">
<span class="md-ellipsis">
Combine
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/testing/" class="md-nav__link">
<span class="md-ellipsis">
Testing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/debug/" class="md-nav__link">
<span class="md-ellipsis">
Debugging Policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/custom/examples/" class="md-nav__link">
<span class="md-ellipsis">
Examples
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_4" type="checkbox" id="__nav_3_3_4" >
<label class="md-nav__link" for="__nav_3_3_4">
<span class="md-ellipsis">
Options
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Options" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_4">
<span class="md-nav__icon md-icon"></span>
Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../misconfiguration/options/policy/" class="md-nav__link">
<span class="md-ellipsis">
Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/options/filter/" class="md-nav__link">
<span class="md-ellipsis">
Filtering
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/options/report/" class="md-nav__link">
<span class="md-ellipsis">
Report Formats
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/options/others/" class="md-nav__link">
<span class="md-ellipsis">
Others
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3_5" type="checkbox" id="__nav_3_3_5" >
<label class="md-nav__link" for="__nav_3_3_5">
<span class="md-ellipsis">
Comparison
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Comparison" data-md-level="3">
<label class="md-nav__title" for="__nav_3_3_5">
<span class="md-nav__icon md-icon"></span>
Comparison
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../misconfiguration/comparison/conftest/" class="md-nav__link">
<span class="md-ellipsis">
vs Conftest
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/comparison/tfsec/" class="md-nav__link">
<span class="md-ellipsis">
vs tfsec
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../misconfiguration/comparison/cfsec/" class="md-nav__link">
<span class="md-ellipsis">
vs cfsec
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4" type="checkbox" id="__nav_3_4" >
<label class="md-nav__link" for="__nav_3_4">
<span class="md-ellipsis">
SBOM
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="SBOM" data-md-level="2">
<label class="md-nav__title" for="__nav_3_4">
<span class="md-nav__icon md-icon"></span>
SBOM
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../sbom/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../sbom/cyclonedx/" class="md-nav__link">
<span class="md-ellipsis">
CycloneDX
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_5" type="checkbox" id="__nav_3_5" checked>
<label class="md-nav__link" for="__nav_3_5">
<span class="md-ellipsis">
Integrations
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Integrations" data-md-level="2">
<label class="md-nav__title" for="__nav_3_5">
<span class="md-nav__icon md-icon"></span>
Integrations
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../github-actions/" class="md-nav__link">
<span class="md-ellipsis">
GitHub Actions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../circleci/" class="md-nav__link">
<span class="md-ellipsis">
CircleCI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../travis-ci/" class="md-nav__link">
<span class="md-ellipsis">
Travis CI
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
GitLab CI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
GitLab CI
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#gitlab-ci-using-trivy-container" class="md-nav__link">
<span class="md-ellipsis">
GitLab CI using Trivy container
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitlab-ci-alternative-template" class="md-nav__link">
<span class="md-ellipsis">
Gitlab CI alternative template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitlab-ci-alternative-template-example-report" class="md-nav__link">
<span class="md-ellipsis">
Gitlab CI alternative template example report
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../bitbucket/" class="md-nav__link">
<span class="md-ellipsis">
Bitbucket Pipelines
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-codepipeline/" class="md-nav__link">
<span class="md-ellipsis">
AWS CodePipeline
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../aws-security-hub/" class="md-nav__link">
<span class="md-ellipsis">
AWS Security Hub
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6" type="checkbox" id="__nav_3_6" >
<label class="md-nav__link" for="__nav_3_6">
<span class="md-ellipsis">
Advanced
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Advanced" data-md-level="2">
<label class="md-nav__title" for="__nav_3_6">
<span class="md-nav__icon md-icon"></span>
Advanced
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/plugins/" class="md-nav__link">
<span class="md-ellipsis">
Plugins
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/air-gap/" class="md-nav__link">
<span class="md-ellipsis">
Air-Gapped Environment
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6_3" type="checkbox" id="__nav_3_6_3" >
<label class="md-nav__link" for="__nav_3_6_3">
<span class="md-ellipsis">
Container Image
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Container Image" data-md-level="3">
<label class="md-nav__title" for="__nav_3_6_3">
<span class="md-nav__icon md-icon"></span>
Container Image
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/container/embed-in-dockerfile/" class="md-nav__link">
<span class="md-ellipsis">
Embed in Dockerfile
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/container/unpacked-filesystem/" class="md-nav__link">
<span class="md-ellipsis">
Unpacked container image filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/container/oci/" class="md-nav__link">
<span class="md-ellipsis">
OCI Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/container/podman/" class="md-nav__link">
<span class="md-ellipsis">
Podman
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6_3_5" type="checkbox" id="__nav_3_6_3_5" >
<label class="md-nav__link" for="__nav_3_6_3_5">
<span class="md-ellipsis">
Private Docker Registries
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Private Docker Registries" data-md-level="4">
<label class="md-nav__title" for="__nav_3_6_3_5">
<span class="md-nav__icon md-icon"></span>
Private Docker Registries
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../advanced/private-registries/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/docker-hub/" class="md-nav__link">
<span class="md-ellipsis">
Docker Hub
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/ecr/" class="md-nav__link">
<span class="md-ellipsis">
AWS ECR (Elastic Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/gcr/" class="md-nav__link">
<span class="md-ellipsis">
GCR (Google Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/acr/" class="md-nav__link">
<span class="md-ellipsis">
ACR (Azure Container Registry)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../advanced/private-registries/self/" class="md-nav__link">
<span class="md-ellipsis">
Self-Hosted
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" >
<label class="md-nav__link" for="__nav_3_7">
<span class="md-ellipsis">
References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="References" data-md-level="2">
<label class="md-nav__title" for="__nav_3_7">
<span class="md-nav__icon md-icon"></span>
References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7_1" type="checkbox" id="__nav_3_7_1" >
<label class="md-nav__link" for="__nav_3_7_1">
<span class="md-ellipsis">
CLI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="CLI" data-md-level="3">
<label class="md-nav__title" for="__nav_3_7_1">
<span class="md-nav__icon md-icon"></span>
CLI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/cli/" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/image/" class="md-nav__link">
<span class="md-ellipsis">
Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/config/" class="md-nav__link">
<span class="md-ellipsis">
Config
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/fs/" class="md-nav__link">
<span class="md-ellipsis">
Filesystem
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/rootfs/" class="md-nav__link">
<span class="md-ellipsis">
Rootfs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/repo/" class="md-nav__link">
<span class="md-ellipsis">
Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/client/" class="md-nav__link">
<span class="md-ellipsis">
Client
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/server/" class="md-nav__link">
<span class="md-ellipsis">
Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/plugins/" class="md-nav__link">
<span class="md-ellipsis">
Plugins
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/cli/sbom/" class="md-nav__link">
<span class="md-ellipsis">
SBOM
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7_2" type="checkbox" id="__nav_3_7_2" >
<label class="md-nav__link" for="__nav_3_7_2">
<span class="md-ellipsis">
Modes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Modes" data-md-level="3">
<label class="md-nav__title" for="__nav_3_7_2">
<span class="md-nav__icon md-icon"></span>
Modes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../references/modes/standalone/" class="md-nav__link">
<span class="md-ellipsis">
Standalone
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../references/modes/client-server/" class="md-nav__link">
<span class="md-ellipsis">
Client/Server
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../references/troubleshooting/" class="md-nav__link">
<span class="md-ellipsis">
Troubleshooting
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
<span class="md-ellipsis">
Community
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Community" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Community
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/tools/" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/references/" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/cks/" class="md-nav__link">
<span class="md-ellipsis">
CKS Reference
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/credit/" class="md-nav__link">
<span class="md-ellipsis">
Credits
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_5" type="checkbox" id="__nav_4_5" >
<label class="md-nav__link" for="__nav_4_5">
<span class="md-ellipsis">
How to contribute
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="How to contribute" data-md-level="2">
<label class="md-nav__title" for="__nav_4_5">
<span class="md-nav__icon md-icon"></span>
How to contribute
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/contribute/issue/" class="md-nav__link">
<span class="md-ellipsis">
Issues
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/contribute/pr/" class="md-nav__link">
<span class="md-ellipsis">
Pull Requests
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_6" type="checkbox" id="__nav_4_6" >
<label class="md-nav__link" for="__nav_4_6">
<span class="md-ellipsis">
Maintainer
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Maintainer" data-md-level="2">
<label class="md-nav__title" for="__nav_4_6">
<span class="md-nav__icon md-icon"></span>
Maintainer
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../community/maintainer/help-wanted/" class="md-nav__link">
<span class="md-ellipsis">
Help Wanted
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../community/maintainer/triage/" class="md-nav__link">
<span class="md-ellipsis">
Triage
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#gitlab-ci-using-trivy-container" class="md-nav__link">
<span class="md-ellipsis">
GitLab CI using Trivy container
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitlab-ci-alternative-template" class="md-nav__link">
<span class="md-ellipsis">
Gitlab CI alternative template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitlab-ci-alternative-template-example-report" class="md-nav__link">
<span class="md-ellipsis">
Gitlab CI alternative template example report
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="gitlab-ci">GitLab CI</h1>
<p>If you're a GitLab Ultimate customer, GitLab 14.0 and above include out-of-the-box integration with Trivy. To enable it for your project, simply add the container scanning template to your <code>.gitlab-ci.yml</code> file. For more details, please refer to <a href="https://docs.gitlab.com/ee/user/application_security/container_scanning/">GitLab's documentation</a>.</p>
<p>If you're using an earlier version of GitLab, you can still use the new integration by copying the <a href="https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml">contents of the 14.0 template</a> to your configuration.</p>
<p>Alternatively, you can always use the example configurations below.</p>
<div class="highlight"><pre><span></span><code><span class="nt">stages</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">test</span><span class="w"></span>
<span class="nt">trivy</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">test</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker:stable</span><span class="w"></span>
<span class="w"> </span><span class="nt">services</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker:dind</span><span class="w"></span>
<span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;env&quot;</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">&quot;-u&quot;</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">&quot;DOCKER_HOST&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;dockerd-entrypoint.sh&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_HOST</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tcp://docker:2375/</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_DRIVER</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">overlay2</span><span class="w"></span>
<span class="w"> </span><span class="c1"># See https://github.com/docker-library/docker/pull/166</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_TLS_CERTDIR</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">IMAGE</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">trivy-ci-test:$CI_COMMIT_SHA</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_NO_PROGRESS</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_CACHE_DIR</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;.trivycache/&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">before_script</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">export TRIVY_VERSION=$(wget -qO - &quot;https://api.github.com/repos/aquasecurity/trivy/releases/latest&quot; | grep &#39;&quot;tag_name&quot;:&#39; | sed -E &#39;s/.*&quot;v([^&quot;]+)&quot;.*/\1/&#39;)</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">echo $TRIVY_VERSION</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -</span><span class="w"></span>
<span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Build image</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker build -t $IMAGE .</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Build report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./trivy image --exit-code 0 --format template --template &quot;@contrib/gitlab.tpl&quot; -o gl-container-scanning-report.json $IMAGE</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Print report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./trivy image --exit-code 0 --severity HIGH $IMAGE</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Fail on severe vulnerabilities</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./trivy image --exit-code 1 --severity CRITICAL $IMAGE</span><span class="w"></span>
<span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">.trivycache/</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)</span><span class="w"></span>
<span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">reports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">container_scanning</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gl-container-scanning-report.json</span><span class="w"></span>
</code></pre></div>
<p><a href="https://gitlab.com/aquasecurity/trivy-ci-test/pipelines">Example</a>
<a href="https://github.com/aquasecurity/trivy-ci-test">Repository</a></p>
<h3 id="gitlab-ci-using-trivy-container">GitLab CI using Trivy container</h3>
<p>To scan a previously built image that has already been pushed into the
GitLab container registry the following CI job manifest can be used.
Note that <code>entrypoint</code> needs to be unset for the <code>script</code> section to work.
In case of a non-public GitLab project Trivy additionally needs to
authenticate to the registry to be able to pull your application image.
Finally, it is not necessary to clone the project repo as we only work
with the container image.</p>
<div class="highlight"><pre><span></span><code><span class="nt">container_scanning</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker.io/aquasec/trivy:latest</span><span class="w"></span>
<span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># No need to clone the repo, we exclusively work on artifacts. See</span><span class="w"></span>
<span class="w"> </span><span class="c1"># https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy</span><span class="w"></span>
<span class="w"> </span><span class="nt">GIT_STRATEGY</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">none</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_USERNAME</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$CI_REGISTRY_USER&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$CI_REGISTRY_PASSWORD&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_AUTH_URL</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$CI_REGISTRY&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_NO_PROGRESS</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_CACHE_DIR</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;.trivycache/&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">FULL_IMAGE_NAME</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG</span><span class="w"></span>
<span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">trivy --version</span><span class="w"></span>
<span class="w"> </span><span class="c1"># cache cleanup is needed when scanning images with the same tags, it does not remove the database</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">time trivy image --clear-cache</span><span class="w"></span>
<span class="w"> </span><span class="c1"># update vulnerabilities db</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">time trivy image --download-db-only</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">time trivy image --exit-code 0 --format template --template &quot;@/contrib/gitlab.tpl&quot;</span><span class="w"></span>
<span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--output &quot;$CI_PROJECT_DIR/gl-container-scanning-report.json&quot; &quot;$FULL_IMAGE_NAME&quot;</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Prints full report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">time trivy image --exit-code 0 &quot;$FULL_IMAGE_NAME&quot;</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Fail on critical vulnerabilities</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">time trivy image --exit-code 1 --severity CRITICAL &quot;$FULL_IMAGE_NAME&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">.trivycache/</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)</span><span class="w"></span>
<span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">always</span><span class="w"></span>
<span class="w"> </span><span class="nt">reports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">container_scanning</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gl-container-scanning-report.json</span><span class="w"></span>
<span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker-runner</span><span class="w"></span>
</code></pre></div>
<h3 id="gitlab-ci-alternative-template">Gitlab CI alternative template</h3>
<p>Depending on the edition of gitlab you have or your desired workflow, the
container scanning template may not meet your needs. As an addition to the
above container scanning template, a template for
<a href="https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html">code climate</a>
has been included. The key things to update from the above examples are
the <code>template</code> and <code>report</code> type. An updated example is below.</p>
<div class="highlight"><pre><span></span><code><span class="nt">stages</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">test</span><span class="w"></span>
<span class="nt">trivy</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">test</span><span class="w"></span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker:stable</span><span class="w"></span>
<span class="w"> </span><span class="nt">services</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker:dind</span><span class="w"></span>
<span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;env&quot;</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">&quot;-u&quot;</span><span class="p p-Indicator">,</span><span class="w"> </span><span class="s">&quot;DOCKER_HOST&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="s">&quot;dockerd-entrypoint.sh&quot;</span><span class="p p-Indicator">]</span><span class="w"></span>
<span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_HOST</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tcp://docker:2375/</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_DRIVER</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">overlay2</span><span class="w"></span>
<span class="w"> </span><span class="c1"># See https://github.com/docker-library/docker/pull/166</span><span class="w"></span>
<span class="w"> </span><span class="nt">DOCKER_TLS_CERTDIR</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">IMAGE</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">trivy-ci-test:$CI_COMMIT_SHA</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_NO_PROGRESS</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">TRIVY_CACHE_DIR</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;.trivycache/&quot;</span><span class="w"></span>
<span class="w"> </span><span class="nt">before_script</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">export TRIVY_VERSION=$(wget -qO - &quot;https://api.github.com/repos/aquasecurity/trivy/releases/latest&quot; | grep &#39;&quot;tag_name&quot;:&#39; | sed -E &#39;s/.*&quot;v([^&quot;]+)&quot;.*/\1/&#39;)</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">echo $TRIVY_VERSION</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -</span><span class="w"></span>
<span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"></span>
<span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Build image</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker build -t $IMAGE .</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Image report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./trivy image --exit-code 0 --format template --template &quot;@contrib/gitlab-codequality.tpl&quot; -o gl-codeclimate-image.json $IMAGE</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Filesystem report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">./trivy filesystem --security-checks config,vuln --exit-code 0 --format template --template &quot;@contrib/gitlab-codequality.tpl&quot; -o gl-codeclimate-fs.json .</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Combine report</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apk update &amp;&amp; apk add jq</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">jq -s &#39;add&#39; gl-codeclimate-image.json gl-codeclimate-fs.json &gt; gl-codeclimate.json</span><span class="w"></span>
<span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">.trivycache/</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)</span><span class="w"></span>
<span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gl-codeclimate.json</span><span class="w"></span>
<span class="w"> </span><span class="nt">reports</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">codequality</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gl-codeclimate.json</span><span class="w"></span>
</code></pre></div>
<p>Currently gitlab only supports a single code quality report. There is an
open <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/9014">feature request</a>
to support multiple reports. Until this has been implemented, if you
already have a code quality report in your pipeline, you can use
<code>jq</code> to combine reports. Depending on how you name your artifacts, it may
be necessary to rename the artifact if you want to reuse the name. To then
combine the previous artifact with the output of trivy, the following <code>jq</code>
command can be used, <code>jq -s 'add' prev-codeclimate.json trivy-codeclimate.json &gt; gl-codeclimate.json</code>.</p>
<h3 id="gitlab-ci-alternative-template-example-report">Gitlab CI alternative template example report</h3>
<p>You'll be able to see a full report in the Gitlab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.</p>
<p><img alt="codequality" src="../../../imgs/gitlab-codequality.png" /></p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../travis-ci/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Travis CI" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Travis CI
</div>
</div>
</a>
<a href="../bitbucket/" class="md-footer__link md-footer__link--next" aria-label="Next: Bitbucket Pipelines" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Bitbucket Pipelines
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.sections"], "search": "../../../assets/javascripts/workers/search.ec8bae80.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../../../assets/javascripts/bundle.c07a5e79.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink