diff --git a/README.md b/README.md
index 92a1a13ce5fe5700f4392970eb93c420dc114c74..4c248472e0e00a69eceee4b2f58db35f0115717c 100644
--- a/README.md
+++ b/README.md
@@ -411,15 +411,15 @@ In case your image takes quite some time to be downloaded by the runner, increas
### `docker-trivy` job
-This job performs a Vulnerability Static Analysis with [Trivy](https://github.com/aquasecurity/trivy) on your built image.
+This job performs a Vulnerability Static Analysis with [Trivy](https://aquasecurity.github.io/trivy) on your built image.
-Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/v0.28.0/docs/references/modes/standalone/) mode.
+Without any configuration Trivy will run in [standalone](https://aquasecurity.github.io/trivy/latest/docs/references/modes/standalone/) mode.
-If you want to run Trivy in client/server mode, you need to set the `DOCKER_TRIVY_ADDR` environment variable.
+If you want to run Trivy in client/server mode, you need to set the `TRIVY_SERVER` environment variable.
```yaml
variables:
- DOCKER_TRIVY_ADDR: "https://trivy.acme.host"
+ TRIVY_SERVER: "https://trivy.acme.host"
```
It is bound to the `package-test` stage, and uses the following variables:
@@ -427,19 +427,23 @@ It is bound to the `package-test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| -------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- |
| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest` |
-| `trivy-addr` / `DOCKER_TRIVY_ADDR` | The Trivy server address (for client/server mode) | _(none: standalone mode)_ |
-| `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
-| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/) | `--ignore-unfixed --vuln-type os --exit-on-eol 1 --detection-priority comprehensive` |
-| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
-| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)\_ |
+| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os --exit-on-eol 1 --detection-priority comprehensive` |
+
+Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
+Examples:
+
+* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
+* `TRIVY_SERVER`: server address (enables client/server mode)
+* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
+* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
-| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
### `docker-sbom` job
diff --git a/kicker.json b/kicker.json
index ee58d770b2d13b1551b45b2ea8f6004656230acd..78bbb8409fb194426436e7ca445f763c96949645 100644
--- a/kicker.json
+++ b/kicker.json
@@ -174,7 +174,7 @@
{
"id": "trivy",
"name": "Trivy",
- "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+ "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "DOCKER_TRIVY_DISABLED",
"variables": [
{
@@ -183,33 +183,11 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true
},
- {
- "name": "DOCKER_TRIVY_ADDR",
- "type": "url",
- "description": "The Trivy server address"
- },
- {
- "name": "DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD",
- "type": "enum",
- "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
- "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
- "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- },
{
"name": "DOCKER_TRIVY_ARGS",
- "description": "Additional `trivy client` arguments",
+ "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
"advanced": true
- },
- {
- "name": "DOCKER_TRIVY_DB_REPOSITORY",
- "description": "OCI repository to retrieve Trivy Database from",
- "advanced": true
- },
- {
- "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
- "description": "OCI repository to retrieve Trivy Java Database from",
- "advanced": true
}
]
},
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 892d44e030279d10688c1deb163b6dd1ceee76af..29e5494e43c5180032852ceae12ec50e5e369868 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -158,27 +158,9 @@ spec:
trivy-image:
description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest
- trivy-addr:
- description: The Trivy server address
- default: ''
- trivy-security-level-threshold:
- description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
- options:
- - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- - LOW,MEDIUM,HIGH,CRITICAL
- - MEDIUM,HIGH,CRITICAL
- - HIGH,CRITICAL
- - CRITICAL
- default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args:
- description: Additional `trivy client` arguments
+ description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive
- trivy-db-repository:
- description: Custom OCI repository to retrieve Trivy Database from
- default: ''
- trivy-java-db-repository:
- description: Custom Java DB repository path
- default: ''
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
@@ -254,11 +236,9 @@ variables:
DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]
- DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
- DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
- DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
+ DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
# SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -294,8 +274,6 @@ variables:
DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
- DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
- DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
# ==================================================
@@ -994,19 +972,11 @@ docker-trivy:
export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports
- if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
- log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
- export trivy_opts="image ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY}"
- else
- log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
- export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
+ if [[ -z "$TRIVY_SERVER" ]]; then
+ log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
fi
- # Add common trivy arguments
- # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
- export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
-
# Generate the native JSON report that can later be converted to other formats
- trivy ${trivy_opts} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
+ trivy image --no-progress ${DOCKER_TRIVY_ARGS} --exit-code 1 --format json --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE || exit_code=$?
# Generate a report in the GitLab format
trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json