.gitlab-ci-scan.yml

.scan:
  stage: scan
  needs:
    - set-vars
  image:
    name: docker.io/aquasec/trivy:0.23.0
    entrypoint: [""]
  variables:
    GIT_STRATEGY: none
  script:
    - trivy --version
    - time trivy image --clear-cache
    - time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
    # Create report artifact
    - >
      time trivy --cache-dir .trivycache/ image --exit-code 0 --ignore-unfixed
      --no-progress --format template --template "@/contrib/gitlab.tpl"
      --output "$CI_PROJECT_DIR/$SHORT_NAME-imgscan.json"
      "${IMAGE_NAME}-unverified"
    # Print full report
    - >
      time trivy --cache-dir .trivycache/ image --exit-code 0 --ignore-unfixed
      --no-progress "${IMAGE_NAME}"-unverified
    # Fail on critical vulnerabilities
    - >
      time trivy --cache-dir .trivycache/ image --exit-code 1 --ignore-unfixed
      --severity CRITICAL --no-progress "${IMAGE_NAME}"-unverified
  cache:
    key: trivy-cache
    paths:
      - .trivycache/
    policy: pull-push
  artifacts:
    when: always
    reports:
      container_scanning: $SHORT_NAME-imgscan.json

ckan-scan:
  needs:
    - ckan-build
  extends:
    - .triggers
    - .scan
  variables:
    IMAGE_NAME: ${CKAN_IMAGE}
    SHORT_NAME: "ckan"
  allow_failure: true

proxy-scan:
  needs:
    - proxy-build
  extends:
    - .triggers
    - .scan
  variables:
    IMAGE_NAME: ${PROXY_IMAGE}
    SHORT_NAME: "proxy"

db-scan:
  needs:
    - db-build
  extends:
    - .triggers
    - .scan
  variables:
    IMAGE_NAME: ${DB_IMAGE}
    SHORT_NAME: "postgresql"

solr-scan:
  needs:
    - solr-build
  extends:
    - .triggers
    - .scan
  variables:
    IMAGE_NAME: ${SOLR_IMAGE}
    SHORT_NAME: "solr"
  allow_failure: true

solr-init-scan:
  needs:
    - solr-init-build
  extends:
    - .triggers
    - .scan
  variables:
    IMAGE_NAME: ${SOLR_INIT_IMAGE}
    SHORT_NAME: "init_solr"