Add Trivy as an option for Container Scanning
Problem to solve
CoreOS Clair doesn't integrate well into CI pipelines. You either need to have a dedicated Clair server, or use arminc's daily generated Clair database. It takes a while to pull down the database image and start a container for it on every CI run. Trivy is “suitable for CI”.
Also, most of my Docker images are Alpine based. Trivy uses better vulnerability data for Alpine compared to Clair.
The Container Scanning job should offer Trivy as an option.
Permissions and Security
What does success look like, and how can we measure that?
What is the type of buyer?
- GitLab Ultimate/Gold customers