Add Trivy as an option for Container Scanning

Problem to solve

In Auto DevOps, the Container Scanning job uses CoreOS Clair to analyze Docker images for vulnerabilities. I'd like an option to use Trivy instead.

Intended users

• Sam (Security Analyst)
• Sasha (Software Developer)

Further details

CoreOS Clair doesn't integrate well into CI pipelines. You either need to have a dedicated Clair server, or use arminc's daily generated Clair database. It takes a while to pull down the database image and start a container for it on every CI run. Trivy is “suitable for CI”.

Also, most of my Docker images are Alpine based. Trivy uses better vulnerability data for Alpine compared to Clair.

Proposal

The Container Scanning job should offer Trivy as an option.

Permissions and Security

No change.

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

• GitLab Ultimate/Gold customers

Links / references