Container Image Scanning

We use Trivy for container image scanning.

Integrating in Gitlab CI/CD

Security scanning of container images can be added to your Gitlab CI/CD pipeline by adding the imagescan step from gitlab-ci-helpers.

Example of usage is documented in the hello-world project.

Ignoring specific CVEs

If you encounter a case where a specific CVE that hasn't been fixed upstream does not impact your container, you can choose to make Trivy ignore it by setting a variable TRIVY_IGNORE_LIST to a string with a space separated list of specific CVEs that should be ignore. They will then be added to a .trivyignore file before scanning.

Example:

imagescan:
  extends: .imagescan
  variables:
    TRIVY_IGNORE_LIST: "CVE-2022-12345"

Integrating in Gitlab CI/CD​

Ignoring specific CVEs​

Integrating in Gitlab CI/CD

Ignoring specific CVEs