fix: fix trivy access to registry

2025-11-17 22:58:24 +03:00
parent e7e3cf2b0f
commit 01227027e8
1 changed files with 17 additions and 11 deletions
@@ -11,6 +11,9 @@ variables:
  TRIVY_CACHE_DIR: .cache/trivy
  TRIVY_NO_PROGRESS: "true"
  TRIVY_TIMEOUT: "10m0s"
+  TRIVY_USERNAME: $CI_REGISTRY_USER
+  TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
+  TRIVY_REGISTRY: $CI_REGISTRY

 cache:
  key: "${CI_COMMIT_REF_SLUG}"
@@ -20,9 +23,9 @@ cache:
  policy: pull-push

 .docker-job: &docker-job
-  image: docker:28.0
+  image: docker:28.5
  services:
-    - docker:28.0-dind
+    - docker:28.5-dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

@@ -31,8 +34,6 @@ cache:
  image: 
    name: aquasec/trivy:latest
    entrypoint: [""]
-  variables:
-    TRIVY_CACHE_DIR: .cache/trivy
  cache:
    paths:
      - $TRIVY_CACHE_DIR
@@ -63,10 +64,6 @@ cache:
  image: 
    name: aquasec/trivy:latest
    entrypoint: [""]
-  variables:
-    TRIVY_CACHE_DIR: .cache/trivy
-    TRIVY_USERNAME: $CI_REGISTRY_USER
-    TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
  cache:
    paths:
      - $TRIVY_CACHE_DIR
@@ -74,8 +71,17 @@ cache:
  before_script:
    - mkdir -p $TRIVY_CACHE_DIR
  script:
-    - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA
-    - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA
+    - |
+      trivy image \
+        --scanners vuln \
+        --format cyclonedx \
+        --output image-sbom-${IMAGE_TYPE}.json \
+        $IMAGE_NAME:$CI_COMMIT_SHA
+    - |
+      trivy image \
+        --format sarif \
+        --output gl-sast-image-${IMAGE_TYPE}-report.json \
+        $IMAGE_NAME:$CI_COMMIT_SHA
  allow_failure: true
  artifacts:
    reports:
@@ -140,7 +146,7 @@ cache:
    - |
      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
      docker compose -f compose.yaml -f compose.prod.yaml \
-        --profile migrations --profile tests up -d
+        --profile migrations --profile tests up -d -y --quiet-pull --quiet-build
    - |
      TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a)
      timeout 600 docker wait $TEST_CONTAINER_ID