extern/workspaces-core-images
1
0
Fork 0
mirror of https://github.com/kasmtech/workspaces-core-images.git synced 2025-06-25 22:41:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

tweaks to vuln filters, add code quality

Browse Source
This commit is contained in:
Matthew McClaskey 2023-11-24 17:08:40 +00:00
parent cda41bf89f
commit 16c44916af
3 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitlab-ci.yml
View File

@ -4,6 +4,10 @@
image: docker:24.0.6 image: docker:24.0.6
services: services:
- docker:24.0.6-dind - docker:24.0.6-dind
include:
- template: Code-Quality.gitlab-ci.yml
stages: stages:
- template - template
- run - run

2
ci-scripts/scan
View File

@ -29,7 +29,7 @@ set -x
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
trivy_dir="${SCRIPT_DIR}/trivy" trivy_dir="${SCRIPT_DIR}/trivy"
trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM
source_dir="${CI_PROJECT_DIR:-$trivy_dir}" source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
build_report build_report

6
ci-scripts/vulnerability-filter.rego
View File

@ -4,6 +4,12 @@ import data.lib.trivy
default ignore = false default ignore = false
# Ignore unfixed low and medium
ignore {
not input.FixedVersion
input.Severity == {"LOW", "MEDIUM"}[_]
}
# KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
ignore { ignore {
input.PkgName == "libssl1.1" input.PkgName == "libssl1.1"