[extensions-web/devops/trivy] ci: move away from safety to trivy




commit 456a44bd18e5521f095fe66b6d1c322ce342696a
Author: Yuri Konotopov <ykonotopov gnome org>
Date:   Tue Mar 8 14:09:37 2022 +0400

    ci: move away from safety to trivy

 .gitlab-ci.yml | 21 ++++++++++++++-------
 .trivyignore   |  2 ++
 2 files changed, 16 insertions(+), 7 deletions(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e2984bf..53d5e82 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -33,13 +33,20 @@ test:
           - '3.10'
 
 security:
-  extends:
-    - .pip cache
   stage: test
-  image: python:$PYTHON_VERSION
-  before_script:
-    - pip install safety
+  image:
+    name: aquasec/trivy
+    entrypoint: [""]
   script:
-    - safety check -r requirements.txt
-    - safety check -r requirements.ego.txt
+    - trivy fs .
   allow_failure: true
+  cache:
+    paths:
+      - .trivy
+    when: always
+  variables:
+    TRIVY_CACHE_DIR: .trivy
+    TRIVY_EXIT_CODE: 1
+    TRIVY_SECURITY_CHECKS: vuln,config
+    # This is single-run job so we do not care of k8s recommendations
+    TRIVY_SKIP_FILES: openshift/jobs/reindex-extensions.yml
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..c60ec23
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,2 @@
+# We don't ready to migrate to non-root images
+DS002


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]