diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a2eaa1f..a9501a3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,6 +11,9 @@ variables: TRIVY_CACHE_DIR: .cache/trivy TRIVY_NO_PROGRESS: "true" TRIVY_TIMEOUT: "10m0s" + TRIVY_USERNAME: $CI_REGISTRY_USER + TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD + TRIVY_REGISTRY: $CI_REGISTRY cache: key: "${CI_COMMIT_REF_SLUG}" @@ -20,9 +23,9 @@ cache: policy: pull-push .docker-job: &docker-job - image: docker:28.0 + image: docker:28.5 services: - - docker:28.0-dind + - docker:28.5-dind before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY @@ -31,8 +34,6 @@ cache: image: name: aquasec/trivy:latest entrypoint: [""] - variables: - TRIVY_CACHE_DIR: .cache/trivy cache: paths: - $TRIVY_CACHE_DIR @@ -63,10 +64,6 @@ cache: image: name: aquasec/trivy:latest entrypoint: [""] - variables: - TRIVY_CACHE_DIR: .cache/trivy - TRIVY_USERNAME: $CI_REGISTRY_USER - TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD cache: paths: - $TRIVY_CACHE_DIR @@ -74,8 +71,17 @@ cache: before_script: - mkdir -p $TRIVY_CACHE_DIR script: - - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA - - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA + - | + trivy image \ + --scanners vuln \ + --format cyclonedx \ + --output image-sbom-${IMAGE_TYPE}.json \ + $IMAGE_NAME:$CI_COMMIT_SHA + - | + trivy image \ + --format sarif \ + --output gl-sast-image-${IMAGE_TYPE}-report.json \ + $IMAGE_NAME:$CI_COMMIT_SHA allow_failure: true artifacts: reports: @@ -140,7 +146,7 @@ cache: - | REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \ docker compose -f compose.yaml -f compose.prod.yaml \ - --profile migrations --profile tests up -d + --profile migrations --profile tests up -d -y --quiet-pull --quiet-build - | TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a) timeout 600 docker wait $TEST_CONTAINER_ID