Skip to content

Update bundled Trivy to 0.56.1

Marius Lazarescu requested to merge marius.lazarescu.3pg/container-scanning:master into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.

What does this MR do?

Updates bundled Trivy to 0.56.1.

Why is this change being made?

Please follow these steps to release the new version:

  1. Retrieve the image URL from the pipeline job log:

    • The job should have the title: release > tag branch:[trivy, Dockerfile]
    • Look for the image URL from the logs. It should look something like: registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy:193dca72bab3627976c62f4b6d3e7ccb438a7f5c

  2. Run a container scan using the image URL

    You can reference this Container Scanning Test repo to run a container scan.

    1. Run a new pipeline.
    2. Set a CI variable CS_ANALYZER_IMAGE with the image URL obtained from step 1.
    3. Set a CI variable CS_IMAGE to registry.gitlab.com/gitlab-org/security-products/tests/webgoat/develop:1ea6d6bb5e1e770dae269d5f8866cdefbeb5da70.
    4. Check that the container scan completes without error.

  3. Check the changelog of Trivy to see if there are any potential breaking change that might affect the code.

  4. Ensure Integration tests are passing

  5. If all is good, merge this MR.

  6. Create a new tag based on the new version that should have been auto incremented.

    • The new version can be found in the version.rb file.

  7. A release pipeline would be triggered to release the new version.

What are the relevant issue numbers?

Relates to gitlab-org/gitlab#496660 (closed)

Evidence

  • Successful job with default image.
  • Successful job with FIPS image.

Changelog

Does this MR meet the acceptance criteria?

Edited by Oscar Tovar

Merge request reports