-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(template) Add misconfigurations to gitlab codequality report #1756
feat(template) Add misconfigurations to gitlab codequality report #1756
Conversation
@natefear thanks for your contribution, do you think that you could update the documentation about how to use it, some screenshots about the report will be nice to have in the documentation too. https://aquasecurity.github.io/trivy/v0.23.0/advanced/integrations/gitlab-ci/ |
8d613c6
to
36b25bb
Compare
Hi @krol3 I'll add some screen shots in a bit I just would like to discuss the template further first :) At present the gitlab-codequality.tpl template will set the package name and version as the path for vulnerabilities (cve's) trivy/contrib/gitlab-codequality.tpl Line 31 in 378b115
trivy/contrib/gitlab-codequality.tpl Line 5 in 378b115
aquasec/trivy (alpine 3.15.0) when scanning trivy, this is however not as useful as it could be when doing filesystem scan as in this scenario the .Target key is able to point to the exact file the vulnerability (cve) originates from e.g. a pip file and you can then click on it in the Gitlab UI to take you to the file.
To try to get the best of both, should I:
|
@knqyf263 would I be able to get your thoughts on the above ^? :) |
To be honest, I've never used GitLab Code Quality, but it seems to be associated with the project's files. I feel like we should use |
@knqyf263 I've added screen shots to make it clearer :) At present (master) we get the severity, CVE ID and title in the description and package name and version in the path for CVE's when doing an image scan using the gitlab code quality template: and the same again for CVE's when doing an filesystem scan using the gitlab code quality template: After implementing option 1: Always setting path to $target for vulnerabilities (CVE's) but include the package name and version in the description The package name and version would be moved the the description (taking suggestions on what separators to use) and the path would output the docker image path (making it abit easier to manually find the source of the CVE) however this would greatly improve the output of CVE's picked up by filesystem scans as the report can then link you to the file where the CVE originates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the screenshots in 'gitlab-ci.md' about the expected result in the Gitlab/codeQuality too.
@natefear Thanks for the detailed explanation. It looks good. |
f832ace
to
8cab693
Compare
Thanks, but the link seems to be broken. You can see the doc by running
|
@knqyf263 It works here and locally via mkdocs, I think it's broken when viewing in rich diff mode in the files changes UI because it's trying to look in the main branch -> https://github.com/aquasecurity/trivy/blob/main/docs/imgs/gitlab-codequality.png which is 404 |
8cab693
to
876e37a
Compare
fixed failing integration tests - https://github.com/aquasecurity/trivy/runs/5410960038?check_suite_focus=true#step:4:352 by updating the expected output https://github.com/aquasecurity/trivy/pull/1756/files#diff-987afca26799d63f38791b6b5f7f8e7dce0b1d123ea64db563f7e59ba92cae2fR6 |
We use MkDocs and it must work here after building the doc. You don't need to care about how it looks like on GitHub. |
Oh, I missed you said it worked locally via mkdocs. Let me check it again. |
876e37a
to
729740d
Compare
@knqyf263 ahh you're right apologies I'd not pushed the extra |
2b1865e
to
6ed2eb4
Compare
6ed2eb4
to
37fdd62
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice improvement! Please consider this PR #1801
"Updated the GitLab CI examples to use the environment variables TRIVY_CACHE_DIR and TRIVY_NO_PROGRESS instead of providing them for every commands"
@krol3 Seems odd that you want me to include the proposed changes from someone else's PR in this one? shouldn't you be letting me merge and then asking other PR author to rebase so they can add it where relevant |
@natefear, I was trying to tell you, is that you'll probably need to do a remerge. I will focus on reviewing your PR |
@krol3 ahh okay sorry didn't see there MR had already been approved :) I guess I'll wait for them to merge |
Merged #1801 |
37fdd62
to
86a99d3
Compare
86a99d3
to
3a38f2e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @natefear
Thanks! |
Gitlab codequality report for misconfigurations was missing
Usage example:
trivy fs --security-checks config,vuln --format template --template "@contrib/gitlab-codequality.tpl" -o report.json {folder}
Checklist