GitLab CI

If you’re a GitLab Ultimate customer, GitLab 14.0 and above include out-of-the-box integration with Trivy. To enable it for your project, simply add the container scanning template to your .gitlab-ci.yml file. For more details, please refer to GitLab’s documentation.

If you’re using an earlier version of GitLab, you can still use the new integration by copying the contents of the 14.0 template to your configuration.

Alternatively, you can always use the example configurations below.

  1. stages:
  2. - test
  3. trivy:
  4. stage: test
  5. image: docker:stable
  6. services:
  7. - name: docker:dind
  8. entrypoint: ["env", "-u", "DOCKER_HOST"]
  9. command: ["dockerd-entrypoint.sh"]
  10. variables:
  11. DOCKER_HOST: tcp://docker:2375/
  12. DOCKER_DRIVER: overlay2
  13. # See https://github.com/docker-library/docker/pull/166
  14. DOCKER_TLS_CERTDIR: ""
  15. IMAGE: trivy-ci-test:$CI_COMMIT_SHA
  16. before_script:
  17. - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
  18. - echo $TRIVY_VERSION
  19. - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
  20. allow_failure: true
  21. script:
  22. # Build image
  23. - docker build -t $IMAGE .
  24. # Build report
  25. - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
  26. # Print report
  27. - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
  28. # Fail on severe vulnerabilities
  29. - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
  30. cache:
  31. paths:
  32. - .trivycache/
  33. # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  34. artifacts:
  35. reports:
  36. container_scanning: gl-container-scanning-report.json

Example Repository

GitLab CI using Trivy container

To scan a previously built image that has already been pushed into the GitLab container registry the following CI job manifest can be used. Note that entrypoint needs to be unset for the script section to work. In case of a non-public GitLab project Trivy additionally needs to authenticate to the registry to be able to pull your application image. Finally, it is not necessary to clone the project repo as we only work with the container image.

  1. container_scanning:
  2. image:
  3. name: docker.io/aquasec/trivy:latest
  4. entrypoint: [""]
  5. variables:
  6. # No need to clone the repo, we exclusively work on artifacts. See
  7. # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
  8. GIT_STRATEGY: none
  9. TRIVY_USERNAME: "$CI_REGISTRY_USER"
  10. TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
  11. TRIVY_AUTH_URL: "$CI_REGISTRY"
  12. FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  13. script:
  14. - trivy --version
  15. # cache cleanup is needed when scanning images with the same tags, it does not remove the database
  16. - time trivy image --clear-cache
  17. # update vulnerabilities db
  18. - time trivy --download-db-only --no-progress --cache-dir .trivycache/
  19. # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
  20. - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
  21. --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
  22. # Prints full report
  23. - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
  24. # Fail on critical vulnerabilities
  25. - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
  26. cache:
  27. paths:
  28. - .trivycache/
  29. # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  30. artifacts:
  31. when: always
  32. reports:
  33. container_scanning: gl-container-scanning-report.json
  34. tags:
  35. - docker-runner

Gitlab CI alternative template

Depending on the edition of gitlab you have or your desired workflow, the container scanning template may not meet your needs. As an addition to the above container scanning template, a template for code climate has been included. The key things to update from the above examples are the template and report type. An updated example is below.

  1. stages:
  2. - test
  3. trivy:
  4. stage: test
  5. image: docker:stable
  6. services:
  7. - name: docker:dind
  8. entrypoint: ["env", "-u", "DOCKER_HOST"]
  9. command: ["dockerd-entrypoint.sh"]
  10. variables:
  11. DOCKER_HOST: tcp://docker:2375/
  12. DOCKER_DRIVER: overlay2
  13. # See https://github.com/docker-library/docker/pull/166
  14. DOCKER_TLS_CERTDIR: ""
  15. IMAGE: trivy-ci-test:$CI_COMMIT_SHA
  16. before_script:
  17. - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
  18. - echo $TRIVY_VERSION
  19. - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
  20. allow_failure: true
  21. script:
  22. # Build image
  23. - docker build -t $IMAGE .
  24. # Build report
  25. - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab-codeclimate.tpl" -o gl-codeclimate.json $IMAGE
  26. cache:
  27. paths:
  28. - .trivycache/
  29. # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  30. artifacts:
  31. paths:
  32. gl-codeclimate.json
  33. reports:
  34. codequality: gl-codeclimate.json

Currently gitlab only supports a single code quality report. There is an open feature request to support multiple reports. Until this has been implemented, if you already have a code quality report in your pipeline, you can use jq to combine reports. Depending on how you name your artifacts, it may be necessary to rename the artifact if you want to reuse the name. To then combine the previous artifact with the output of trivy, the following jq command can be used, jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json.