This component executes Trivy vulnerability and misconfiguration scans against container images or filesystem paths and produces machine-readable reports.

Variables

Name	required	Hints
TRIVY_TIMEOUT	no	Global variable to set a custom scan timeout for long running scans

Usage

Scan the filesystem

• Create a new pipeline file

include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/tivy@stable
  inputs:
    name: project
    path: .

Scan a container image

• Create a new pipeline file

include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/tivy@stable
  inputs:
    name: image
    image: registry.gitlab.com/xrow-public/ci-tools/test-insecure-java-app:latest

Inputs

Name	Description	Default	Type
---	---	---	---
dependencies	The dependencies that this job depends on.	[]	array
image	Url to the image.		string
name	Name for the pipeline jobs and the container.	$CI_PROJECT_NAME	string
needs	The jobs that this job depends on.	[]	array
package-types	Package types to scan	["os","library"]	array
path	Path to the sources.	.	string
rules	The jobs that this job depends on.	[{"if":"$CI_PIPELINE_SOURCE == \"schedule\"","when":"never"},{"if":"$CI_PIPELINE_SOURCE == \"merge_request_event\"","when":"on_success"},{"when":"on_success"}]	array
scanners	Scanners to use. none, vuln, license, secret, misconfig	["vuln","secret","license","misconfig"]	array
scanning-allow-failure	Should the pipeline fail if scanning the built container image fails?	true	boolean
scanning-severity	What level of severity should cause scanning of the built container to fail?	CRITICAL	string
scanning-timeout	How long should the scanning process be allowed to run before timing out? Use format e.g. 5m0s		string
stage	The pipeline stage that the jobs belongs to.	build	string
tags	The runners that this job depends on.	[]	array