A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI.
It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily.
Most of my Docker images are Alpine based. Trivy uses better vulnerability data for Alpine compared to Clair.
This can be easily plugged in to you CI/CD pipeline - in the scenario we we allow the pipeline to fail, the objective here is to provide visibility.
scan-container-trivy:
image:
name: docker.io/aquasec/trivy:latest
entrypoint: ["/bin/sh"]
stage: scan
allow_failure: true
interruptible: true
variables:
GIT_STRATEGY: none
TRIVY_DEBUG: "true"
TRIVY_FORMAT: "json"
TRIVY_SEVERITY: "HIGH,CRITICAL"
TRIVY_EXIT_CODE: "1"
TRIVY_VULN_TYPE: "os,library"
TRIVY_TIMEOUT: "5m"
# TRIVY_NO_PROGRESS: "true"
TRIVY_OUTPUT: "gl-container-scanning-report.json"
timeout: 5m
retry:
max: 2
when:
- runner_system_failure
- stuck_or_timeout_failure
when: on_success
script:
- trivy "${IMAGE_NAME}"
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
expire_in: 1 day
when: on_success
only:
refs:
- merge_requests
variables:
- $IMAGE_NAMEThis can be adapted to any other CI pipelines
GitLab is in the process of implementing a varient of this see issue here