refactor(trivy): run Trivy scan only once

87c4d9a0 · Bertrand Goareguer · Pierre Smeyers · 6b65acd2 · 87c4d9a0
Commit 87c4d9a0 authored 7 months ago by Bertrand Goareguer Committed by Pierre Smeyers 7 months ago
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -993,15 +993,17 @@ docker-trivy:
    # Add common trivy arguments
    # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
    export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
-    # GitLab format (no fail)
-    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
+    # Generate the native JSON report that can later be converted to other formats
-    # JSON format (no fail)
+    trivy ${trivy_opts} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
-    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
-    then
+    # Generate a report in the GitLab format
-      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
+    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
-    fi
-    # console output (fail)
+    # console output
-    trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
+    trivy convert --format table reports/docker-trivy-${basename}.native.json
+    exit $exit_code
  artifacts:
    when: always
    paths: