All committers have signed the CLA.

@natefear thanks for your contribution, do you think that you could update the documentation about how to use it, some screenshots about the report will be nice to have in the documentation too.

https://aquasecurity.github.io/trivy/v0.23.0/advanced/integrations/gitlab-ci/

Hi @krol3 I'll add some screen shots in a bit I just would like to discuss the template further first :)

At present the gitlab-codequality.tpl template will set the package name and version as the path for vulnerabilities (cve's)

To try to get the best of both, should I:

1. Always set path to $target for vulnerabilities (cve's) but include the package name and version in the description
2. Try to get the ArtifactType field exposed to the report templating logic then use this to create conditions - at present the untemplated json report includes an ArtifactType field (see code block below) which lets you know if the report is from an image or file system scan however the templating fuction only knows about the contents of the results array. See error: "output template" at <.ArtifactType>: can't evaluate field ArtifactType in type report.Results"
3. Create a separate template for filesystem scans

  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [

@knqyf263 would I be able to get your thoughts on the above ^? :)

To be honest, I've never used GitLab Code Quality, but it seems to be associated with the project's files. I feel like we should use path for file paths. #1 looks good from that perspective.

@knqyf263 I've added screen shots to make it clearer :)

At present (master) we get the severity, CVE ID and title in the description and package name and version in the path for CVE's when doing an image scan using the gitlab code quality template:

and the same again for CVE's when doing an filesystem scan using the gitlab code quality template:

After implementing option 1: Always setting path to $target for vulnerabilities (CVE's) but include the package name and version in the description

The package name and version would be moved the the description (taking suggestions on what separators to use) and the path would output the docker image path (making it abit easier to manually find the source of the CVE)

N.B redacted part of the image path hence the blank bits

however this would greatly improve the output of CVE's picked up by filesystem scans as the report can then link you to the file where the CVE originates

N.B redacted part of the file path hence the blank bits

@natefear Thanks for the detailed explanation. It looks good.

@krol3 @knqyf263 Added a screen shot of the expected output when using the template to the docs, let me know if you want me to crop the screen shot further :) thanks

Thanks, but the link seems to be broken.

You can see the doc by running make mkdocs-serve and visiting http://localhost:8000. Also, you can refer to other places.

@knqyf263 It works here and locally via mkdocs, I think it's broken when viewing in rich diff mode in the files changes UI because it's trying to look in the main branch -> https://github.com/aquasecurity/trivy/blob/main/docs/imgs/gitlab-codequality.png which is 404

fixed failing integration tests - https://github.com/aquasecurity/trivy/runs/5410960038?check_suite_focus=true#step:4:352 by updating the expected output https://github.com/aquasecurity/trivy/pull/1756/files#diff-987afca26799d63f38791b6b5f7f8e7dce0b1d123ea64db563f7e59ba92cae2fR6

@knqyf263 It works here and locally via mkdocs, I think it's broken when viewing in rich diff mode in the files changes UI because it's trying to look in the main branch -> https://github.com/aquasecurity/trivy/blob/main/docs/imgs/gitlab-codequality.png which is 404

We use MkDocs and it must work here after building the doc. You don't need to care about how it looks like on GitHub.
https://aquasecurity.github.io/trivy/v0.24.2/advanced/integrations/gitlab-ci/

Oh, I missed you said it worked locally via mkdocs. Let me check it again.

Again, it doesn't work. The path seems to be wrong.

@knqyf263 ahh you're right apologies I'd not pushed the extra ../ - I've pushed it now

@knqyf263 @krol3 can someone kick the tests off, approve and merge this if you think it's ready :) thanks

the tests had already run successfully once, but I've had to rebase because the main branch has been updated

@knqyf263 @krol3 - by the time someone responds to run the tests or approves the PR my branch becomes out of sync with main :( try again please?

@knqyf263 @krol3 not sure if one of you triggered the tests, but they're done and ready for approval :) thanks

@krol3 Seems odd that you want me to include the proposed changes from someone else's PR in this one? shouldn't you be letting me merge and then asking other PR author to rebase so they can add it where relevant

@natefear, I was trying to tell you, is that you'll probably need to do a remerge. I will focus on reviewing your PR

@krol3 ahh okay sorry didn't see there MR had already been approved :) I guess I'll wait for them to merge

Merged #1801

@krol3 @knqyf263 rebased to include the CI env var changes

@krol3 @knqyf263 rebased again :(

@krol3 @knqyf263 are either of you authorised to merge :) ty

Thanks!