py-trivy job now fails with error open /contrib/gitlab-codequality.tpl: no such file or directory
Describe the bug
Hello,
following #116 (closed), trivy is now launched but it can't retrieve contrib/gitlab-codequality.tpl file and the step is failed.
it seems the @ is not taken into account in line https://gitlab.com/to-be-continuous/python/-/blob/master/templates/gitlab-ci-python.yml?ref_type=heads#L1527
Expected behavior
no failure and step is OK if no vulnerabilities found
Actual behavior
step is failed during the conversion part
Logs and/or screenshots
$ # BEGSCRIPT # collapsed multi-line command
$ install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
$ enforce_python_cmd
$ cd ${PYTHON_PROJECT_DIR}
$ guess_build_system
[INFO] --- Build system auto-detected: requirements file
$ mkdir -p -m 777 reports
$ if [[ -z "$PYTHON_TRIVY_DIST_URL" ]] # collapsed multi-line command
[INFO] Trivy version unset: retrieve latest version...
[INFO] ... use latest Trivy version: https://github.com/aquasecurity/trivy/releases/download/v0.65.0/trivy_0.65.0_Linux-64bit.tar.gz
[INFO] Trivy not found in cache (https://github.com/aquasecurity/trivy/releases/download/v0.65.0/trivy_0.65.0_Linux-64bit.tar.gz): download
$ case "$PYTHON_BUILD_SYSTEM" in # collapsed multi-line command
[INFO] reqfile build system used (must generate pinned requirements.txt)
[INFO] --- installing main requirements from requirements.txt
Collecting click==8.2.1 (from -r requirements.txt (line 12))
Downloading click-8.2.1-py3-none-any.whl.metadata (2.5 kB)
Collecting loguru==0.7.3 (from -r requirements.txt (line 13))
Downloading loguru-0.7.3-py3-none-any.whl.metadata (22 kB)
Collecting pyyaml==6.0.2 (from -r requirements.txt (line 14))
Downloading PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Collecting envsubst==0.1.5 (from -r requirements.txt (line 15))
Downloading envsubst-0.1.5-py2.py3-none-any.whl.metadata (826 bytes)
Collecting nested-lookup==0.2.25 (from -r requirements.txt (line 16))
Downloading nested-lookup-0.2.25.tar.gz (14 kB)
Installing build dependencies: started
Installing build dependencies: finished with status 'done'
Getting requirements to build wheel: started
Getting requirements to build wheel: finished with status 'done'
Preparing metadata (pyproject.toml): started
Preparing metadata (pyproject.toml): finished with status 'done'
Collecting jmespath-community==1.1.3 (from -r requirements.txt (line 17))
Downloading jmespath_community-1.1.3-py3-none-any.whl.metadata (8.9 kB)
Collecting six (from nested-lookup==0.2.25->-r requirements.txt (line 16))
Downloading six-1.17.0-py2.py3-none-any.whl.metadata (1.7 kB)
Downloading click-8.2.1-py3-none-any.whl (102 kB)
Downloading loguru-0.7.3-py3-none-any.whl (61 kB)
Downloading PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (759 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 759.5/759.5 kB 12.8 MB/s 0:00:00
Downloading envsubst-0.1.5-py2.py3-none-any.whl (4.0 kB)
Downloading jmespath_community-1.1.3-py3-none-any.whl (25 kB)
Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
Building wheels for collected packages: nested-lookup
Building wheel for nested-lookup (pyproject.toml): started
Building wheel for nested-lookup (pyproject.toml): finished with status 'done'
Created wheel for nested-lookup: filename=nested_lookup-0.2.25-py3-none-any.whl size=13217 sha256=c87190eb267e24352a6242b93928c731a40c346e0651f8da79b32f1c2c4c9ca7
Stored in directory: /builds/Orange-OpenSource/k8s-tz/tools/kube-score-lint/.cache/pip/wheels/4b/b7/32/a8e5d4d164355b51c34147e4809c5ff1158402fb90a4757013
Successfully built nested-lookup
Installing collected packages: envsubst, six, pyyaml, loguru, jmespath-community, click, nested-lookup
Successfully installed click-8.2.1 envsubst-0.1.5 jmespath-community-1.1.3 loguru-0.7.3 nested-lookup-0.2.25 pyyaml-6.0.2 six-1.17.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
[INFO] --- installing extra requirements from requirements-dev.txt
Obtaining file:///builds/Orange-OpenSource/k8s-tz/tools/kube-score-lint (from -r requirements-dev.txt (line 13))
Installing build dependencies: started
Installing build dependencies: finished with status 'done'
Checking if build backend supports build_editable: started
Checking if build backend supports build_editable: finished with status 'done'
Getting requirements to build editable: started
Getting requirements to build editable: finished with status 'done'
Installing backend dependencies: started
Installing backend dependencies: finished with status 'done'
Preparing editable metadata (pyproject.toml): started
Preparing editable metadata (pyproject.toml): finished with status 'done'
Collecting pytest (from -r requirements-dev.txt (line 11))
Downloading pytest-8.4.1-py3-none-any.whl.metadata (7.7 kB)
Collecting pytest-cov (from -r requirements-dev.txt (line 12))
Downloading pytest_cov-6.2.1-py3-none-any.whl.metadata (30 kB)
Requirement already satisfied: click>=8.2.1 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (8.2.1)
Requirement already satisfied: envsubst>=0.1.5 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (0.1.5)
Requirement already satisfied: jmespath-community>=1.1.3 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (1.1.3)
Requirement already satisfied: loguru>=0.7.3 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (0.7.3)
Requirement already satisfied: nested-lookup>=0.2.25 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (0.2.25)
Requirement already satisfied: pyyaml>=6.0.2 in /usr/local/lib/python3.13/site-packages (from kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (6.0.2)
Collecting iniconfig>=1 (from pytest->-r requirements-dev.txt (line 11))
Downloading iniconfig-2.1.0-py3-none-any.whl.metadata (2.7 kB)
Collecting packaging>=20 (from pytest->-r requirements-dev.txt (line 11))
Using cached packaging-25.0-py3-none-any.whl.metadata (3.3 kB)
Collecting pluggy<2,>=1.5 (from pytest->-r requirements-dev.txt (line 11))
Using cached pluggy-1.6.0-py3-none-any.whl.metadata (4.8 kB)
Collecting pygments>=2.7.2 (from pytest->-r requirements-dev.txt (line 11))
Downloading pygments-2.19.2-py3-none-any.whl.metadata (2.5 kB)
Collecting coverage>=7.5 (from coverage[toml]>=7.5->pytest-cov->-r requirements-dev.txt (line 12))
Downloading coverage-7.10.4-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl.metadata (8.9 kB)
Requirement already satisfied: six in /usr/local/lib/python3.13/site-packages (from nested-lookup>=0.2.25->kube-score-lint==1.12.28->-r requirements-dev.txt (line 13)) (1.17.0)
Downloading pytest-8.4.1-py3-none-any.whl (365 kB)
Using cached pluggy-1.6.0-py3-none-any.whl (20 kB)
Downloading pytest_cov-6.2.1-py3-none-any.whl (24 kB)
Downloading coverage-7.10.4-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl (250 kB)
Downloading iniconfig-2.1.0-py3-none-any.whl (6.0 kB)
Using cached packaging-25.0-py3-none-any.whl (66 kB)
Downloading pygments-2.19.2-py3-none-any.whl (1.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 18.7 MB/s 0:00:00
Building wheels for collected packages: kube-score-lint
Building editable for kube-score-lint (pyproject.toml): started
Building editable for kube-score-lint (pyproject.toml): finished with status 'done'
Created wheel for kube-score-lint: filename=kube_score_lint-1.12.28-py3-none-any.whl size=3284 sha256=06277e20443e7e1fa652b07d8278fd487830efbe01e9c506701ed56cec58fb95
Stored in directory: /tmp/pip-ephem-wheel-cache-r7c4tkuq/wheels/7b/94/f4/d3ac2bfbcef6ed27d4826c87c286d9a13689cd139c8d602e16
Successfully built kube-score-lint
Installing collected packages: pygments, pluggy, packaging, iniconfig, coverage, pytest, kube-score-lint, pytest-cov
Successfully installed coverage-7.10.4 iniconfig-2.1.0 kube-score-lint-1.12.28 packaging-25.0 pluggy-1.6.0 pygments-2.19.2 pytest-8.4.1 pytest-cov-6.2.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
[INFO] *** install_requirements took 18.4 seconds
ERROR: Error [Errno 2] No such file or directory: 'git' while executing command git config --get-regexp 'remote\..*\.url'
WARNING: cannot determine version of editable source in /builds/Orange-OpenSource/k8s-tz/tools/kube-score-lint (git command not found in path)
click==8.2.1
coverage==7.10.4
envsubst==0.1.5
iniconfig==2.1.0
jmespath-community==1.1.3
-e /builds/Orange-OpenSource/k8s-tz/tools/kube-score-lint
loguru==0.7.3
nested-lookup==0.2.25
packaging==25.0
pluggy==1.6.0
Pygments==2.19.2
pytest==8.4.1
pytest-cov==6.2.1
PyYAML==6.0.2
six==1.17.0
[WARN] The ./requirements.txt file does not match the ./reports/requirements.txt file generated via pip freeze. Make sure to include all dependencies with pinned versions in ./requirements.txt and re-commit the file.
2025-08-20T07:31:48Z INFO Adding schema version to the DB repository for backward compatibility repository="docker.stable.lb.innovation.nif-cd.fr/public-github/aquasecurity/trivy-db:2"
2025-08-20T07:31:48Z INFO Adding schema version to the DB repository for backward compatibility repository="docker.stable.lb.innovation.nif-cd.fr/public-github/aquasecurity/trivy-java-db:1"
2025-08-20T07:31:48Z WARN Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see https://trivy.dev/v0.65/docs/references/modes/client-server
2025-08-20T07:31:48Z INFO [vuln] Vulnerability scanning is enabled
2025-08-20T07:31:48Z INFO [secret] Secret scanning is enabled
2025-08-20T07:31:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-08-20T07:31:48Z INFO [secret] Please see also https://trivy.dev/v0.65/docs/scanner/secret#recommendation for faster secret detection
2025-08-20T07:31:48Z INFO [python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.
2025-08-20T07:31:49Z FATAL Fatal error unable to write results: failed to initialize template writer: error retrieving template from path: open /contrib/gitlab-codequality.tpl: no such file or directoryContext & Configuration
Link to a project, pipeline or job facing the bug: https://gitlab.com/Orange-OpenSource/k8s-tz/tools/kube-score-lint/-/jobs/11073162740
The issue was reproduced using:
- Version of the template: 8.1.1
- GitLab server(s): gitlab.com
- GitLab runner(s): managed runner using kubernetes as executor
Here is the .gitlab-ci.yml file:
# included templates
include:
- project: 'Orange-OpenSource/k8s-tz/tools/template-template'
ref: 1.8.55
file: 'templates/gitlab-ci-template.yaml'
- project: 'Orange-OpenSource/k8s-tz/tools/template-template'
ref: 1.8.55
file: 'templates/gitlab-ci-template-allow-push-to-main-branch.yaml'
- project: 'Orange-OpenSource/k8s-tz/tools/template-template'
ref: 1.8.55
file: 'templates/gitlab-ci-template-docker.yaml'
# Python template
- project: "to-be-continuous/python"
ref: "8.1.1"
file: "templates/gitlab-ci-python.yml"
# secret variables: see README.md
# variables
variables:
GITLAB_TOKEN: $BOT_TOKEN
# to-be-continuous/python
PYTHON_PACKAGE_ENABLED: "true"
PYTEST_ENABLED: "true"
PYTEST_ARGS: "--import-mode=importlib -x -v"
RUFF_ENABLED: "true"
RUFF_FORMAT_ENABLED: "true"
# yamllint
YAML_PATH_EXCLUSION: ./tests
TEMPLATE_VERSION_VARNAME: "KUBE_SCORE_LINT_DOCKER_TAG"
TEMPLATE_FILES_TO_BUMP: &gitlab-template "gitlab-ci-template.yaml"
GITLAB_CI_FILES: *gitlab-template
# renovate: datasource=github-releases depName=helm/helm
HELM_VERSION: v3.18.3
# renovate: datasource=github-releases depName=kubernetes/kubernetes
KUBERNETES_VERSION: v1.33.2
# renovate: datasource=github-releases depName=zegl/kube-score
KUBE_SCORE_VERSION: v1.20.0
# renovate: datasource=pypi depName=ruff
RUFF_VERSION: 0.12.9
# your pipeline stages
stages:
- build
- test
- package-build
- package-test
- infra
- deploy
- acceptance
- publish
- infra-prod
- production
py-pytest:
before_script:
- !reference [.python-base, before_script]
- apt-get update && apt-get install -y curl tar
- mkdir -p .local/bin
- cd .local/bin
- curl -LO "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz"
- tar -zxvf "helm-${HELM_VERSION}-linux-amd64.tar.gz"
- mv ./linux-amd64/helm helm
- curl -LO
"https://dl.k8s.io/release/${KUBERNETES_VERSION}/bin/linux/amd64/kubectl"
- chmod +x kubectl
- echo $KUBE_SCORE_VERSION
- KUBE_SCORE_VERSION_NO_V=$(echo "${KUBE_SCORE_VERSION}" | sed 's/v//')
- export KUBE_SCORE_VERSION_NO_V
- echo $KUBE_SCORE_VERSION_NO_V
# yamllint disable rule:line-length
- curl -L
"https://github.com/zegl/kube-score/releases/download/${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION_NO_V}_linux_amd64"
> kube-score
# yamllint enable rule:line-length
- chmod +x kube-score
- cd ../..
- export PATH=${PATH}:${PWD}/.local/bin
- helm version
- kubectl version --client
- kube-score version
after_script:
- curl -Os https://cli.codecov.io/latest/linux/codecov
- chmod +x codecov
- ./codecov upload-process --plugin pycoverage --git-service gitlab -f
reports/py-coverage.cobertura.xml -t $CODECOV_TOKEN
py-functionnal-success:
stage: package-test
image: $DOCKER_SNAPSHOT_IMAGE
script:
- kube-score-lint --base-folder tests/functionnal/fixtures/cilium/ score
py-functionnal-failure:
stage: package-test
image: $DOCKER_SNAPSHOT_IMAGE
script:
- kube-score-lint --base-folder
tests/unit/fixtures/basic_kustomization_plus_helmrelease/ score |
tee output || true
- cat output | grep failed
###
# Overrides
##
semantic-release:
dependencies:
- create semantic release config
(If useful, list configured GitLab CI project and/or group variables.)
Configured GitLab CI project or group variables:
TRIVY_CHECKS_BUNDLE_REPOSITORYTRIVY_JAVA_DB_REPOSITORYTRIVY_SERVERDOCKER_TRIVY_ADDRTRIVY_DB_REPOSITORY