tweaks to vuln filters, add code quality

.gitlab-ci.yml

@@ -4,6 +4,10 @@
 image: docker:24.0.6
 services:
   - docker:24.0.6-dind
+
+include:
+  - template: Code-Quality.gitlab-ci.yml
+
 stages:
   - template
   - run

ci-scripts/scan

@@ -29,7 +29,7 @@ set -x
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 trivy_dir="${SCRIPT_DIR}/trivy"
-trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options"
+trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM
 source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
 
 build_report

ci-scripts/vulnerability-filter.rego

@@ -4,6 +4,12 @@ import data.lib.trivy
 
 default ignore = false
 
+# Ignore unfixed low and medium
+ignore {
+    not input.FixedVersion
+    input.Severity == {"LOW", "MEDIUM"}[_]
+}
+
 # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
 ignore {
 	input.PkgName == "libssl1.1"