-
Notifications
You must be signed in to change notification settings - Fork 2
/
gitlab-trivy-checks.yaml
33 lines (32 loc) · 1.53 KB
/
gitlab-trivy-checks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
include:
- remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-security-checks/main/security-checks.yaml
- remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-license-checks/main/license-checks.yaml
- remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.yaml
check trivy scan results:
stage: test
image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine:latest
services: []
needs:
- container_scanning
- license_scanning
# List all your container/license scanning jobs here, one per line
# - container_scanning_frontend
# - license_scanning_frontend
tags:
- small-runner
before_script:
- apk update && apk add jq coreutils grep
script:
- echo "Step 1 - Merge all codeclimate reports from scanning jobs"
- jq -s 'add' gl-codeclimate*.json > gl-codeclimate.json
- echo "Step 2 - Check if there were any vulnerabilities and exit with a status code equal to the number of vulnerabilities"
# if . == null > all codeclimate-files were empty (null) -> No issues found, else find and count all type == "issue" elements
# Exit codes:
# 0 => jq returned true - no issues found
# 1 => jq returned false/null - found more than 0 issues
# 4 => jq found a syntax error in the merged JSON file
- jq -e 'if . == null then true else map(select(.type == "issue")) | length == 0 end' ./gl-codeclimate.json
# Enables CodeQuality Widget in Merge Request
artifacts:
paths:
- gl-codeclimate.json