feat: normalize reports

e8d505fe · Pierre Smeyers · 33ec4159 · e8d505fe · e8d505fe
Commit e8d505fe authored 2 years ago by Pierre Smeyers
--- a/README.md
+++ b/README.md
@@ -179,8 +179,8 @@ It is bound to the `build` stage, and uses the following variables:

 | Name                       | Description                            | Default value                           |
 | -------------------------- | -------------------------------------- | --------------------------------------- |
-| `DOCKER_HADOLINT_IMAGE`    | The Hadolint image                     | `hadolint/hadolint:latest-alpine`              |
-| `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | ``                        |
+| `DOCKER_HADOLINT_IMAGE`    | The Hadolint image                     | `hadolint/hadolint:latest-alpine`       |
+| `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | _(none)_                        |

 In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.

@@ -194,6 +194,13 @@ FROM ubuntu
 RUN cd /tmp && echo "hello!"
 ```

+In addition to a textual report in the console, this job produces the following reports, kept for one day:
+
+| Report         | Format                                                                       | Usage             |
+| -------------- | ---------------------------------------------------------------------------- | ----------------- |
+| `reports/docker-hadolint-*.native.json`      | native hadolint test report (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#hadolint)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-hadolint-*.codeclimate.json` | hadolint (GitLab) codeclimate format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
+
 ### `docker-build` job

 This job builds the image and publishes it to the _snapshot_ repository.
@@ -302,6 +309,13 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `DOCKER_TRIVY_DISABLED`| Set to `true` to disable Trivy analysis          | _(none)_ |
 | `DOCKER_TRIVY_ARGS`    | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |

+In addition to a textual report in the console, this job produces the following reports, kept for one day:
+
+| Report         | Format                                                                       | Usage             |
+| -------------- | ---------------------------------------------------------------------------- | ----------------- |
+| `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
+
 ### `docker-publish` job

 This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -464,14 +464,17 @@ docker-hadolint:
  dependencies: []
  script:
    - autoconfig_hadolint
-    - mkdir -p reports
-    - chmod o+rwx reports
+    - mkdir -p -m 777 reports
    - dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1)
    # Output in Code Climate format (GitLab integration)
-    - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-cc-${dockerfile_hash}.json"
+    - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.codeclimate.json"
    # Output in JSON format
-    - hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/hadolint-json-${dockerfile_hash}.json"
-    # las run with console output (with failure)
+    - |
+      if [[ "$DEFECTDOJO_HADOLINT_REPORTS"]]
+      then
+        hadolint --no-fail -f json $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.native.json"
+      fi
+    # last run with console output (with failure)
    - hadolint $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE"
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
@@ -479,9 +482,9 @@ docker-hadolint:
    when: always
    reports:
      codequality:
-        - "reports/hadolint-cc-*.json"
+        - "reports/docker-hadolint-*.codeclimate.json"
    paths:
-      - "reports/hadolint-*.json"
+      - "reports/docker-hadolint-*"
  rules:
    # exclude if DOCKER_HADOLINT_DISABLED set
    - if: '$DOCKER_HADOLINT_DISABLED == "true"'
@@ -626,7 +629,7 @@ docker-trivy:
    trivy image --clear-cache
    export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}
    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
-    export FILENAME=trivy-$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
+    export basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
    mkdir -p ./reports
    if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
@@ -637,17 +640,22 @@ docker-trivy:
      export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
    fi
    # Add common trivy arguments
-    export trivy_opts="${trivy_opts} --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} --vuln-type os ${DOCKER_TRIVY_ARGS}"
-    # the first execution of Trivy should never fail, otherwise the other executions won't be run (so --exit-code=0)
-    trivy ${trivy_opts} --format template --template @/contrib/junit.tpl --output ./reports/${FILENAME}.xml --exit-code 0  $DOCKER_SNAPSHOT_IMAGE
-    trivy ${trivy_opts} --format json --output ./reports/${FILENAME}.json --exit-code 0 $DOCKER_SNAPSHOT_IMAGE
+    export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
+    # GitLab format (no fail)
+    trivy ${trivy_opts} --format template --exit-code 0 --template "@contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
+    # JSON format (no fail)
+    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
+    then
+      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $DOCKER_SNAPSHOT_IMAGE
+    fi
+    # console output (fail)
    trivy ${trivy_opts} --format table --exit-code 1 $DOCKER_SNAPSHOT_IMAGE
  artifacts:
    when: always
    paths:
-    - reports/
+    - "reports/docker-trivy-*"
    reports:
-      junit: "reports/*.xml"
+      container_scanning: "reports/docker-trivy-*.gitlab.json"
  cache:
    paths:
      - .trivycache/