Setting TRIVY_EXIT_CODE Environment variable fails the scan with no CVE output

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

Using the new Container Scanning template with Trivy and setting the "TRIVY_EXIT_CODE" environment value to a value other than "0" breaks the job successfully as it should but will result in blank CVE output which makes it impossible to see what are the CVE's that are breaking the scan

Steps to reproduce

  1. Have a docker container ready for scanning that has CVE's that will appear during a Trivy scan
  2. Include Container-Scanning.gitlab-ci.yml in your .gitlab-ci.yml
  3. Set the following environment variables to enable the new Trivy scanner instead of Clair
    • CS_MAJOR_VERSION: 4
    • CS_PROJECT: 'container-scanning'
  4. set "DOCKER_IMAGE" Environment variable to the container you want to scan that has CVE's
  5. Set "TRIVY_EXIT_CODE" Environment Variable to something other than "0"
  6. Kick off the pipeline and see that the job will fail successfully but there will be blank CVE output and there will not be a gl-container-scanning-report.json artifact created

NOTE: Setting TRIVY_DEBUG to true does produce extra output but the output is not helpful

Example Project

What is the current bug behavior?

Scan fails successfully but there is no CVE output in the job log and no gl-container-scanning-report.json report artifact is created or uploaded

What is the expected correct behavior?

Scan should continue to fail due to the TRIVY_EXIT_CODE Variable being set to a non 0 value, There should be CVE output in the job log and a gl-container-scanning-report.json report artifact should be created/uploaded

Relevant logs and/or screenshots

With TRIVY_EXIT_CODE set to -1 image

With TRIVY_EXIT_CODE unset or the equivalent of 0 image image

Possible fixes

Only thing I can think of to fix this is to handle TRIVY_EXIT_CODE gracefully in the analyzer wrapper for Trivy so that an artifact report is still created and CVE output in the job logs is visible

Edited by 🤖 GitLab Bot 🤖