mkdocs: add CI nav

docs/mkdocs/continuous-integration/aws-codepipeline.md

@@ -0,0 +1,3 @@
+See [this blog post][blog] for an example of using Trivy within AWS CodePipeline.
+
+[blog]: https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/

docs/mkdocs/continuous-integration/aws-security-hub.md

@@ -0,0 +1,3 @@
+See [here][hub]
+
+[hub]: https://github.com/aquasecurity/trivy/tree/main/docs/integration/security-hub.md

docs/mkdocs/continuous-integration/circleci.md

@@ -0,0 +1,40 @@
+```
+$ cat .circleci/config.yml
+jobs:
+  build:
+    docker:
+      - image: docker:stable-git
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build image
+          command: docker build -t trivy-ci-test:${CIRCLE_SHA1} .
+      - run:
+          name: Install trivy
+          command: |
+            apk add --update-cache --upgrade curl
+            VERSION=$(
+                curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
+                grep '"tag_name":' | \
+                sed -E 's/.*"v([^"]+)".*/\1/'
+            )
+
+            wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
+            tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
+            mv trivy /usr/local/bin
+      - run:
+          name: Scan the local image with trivy
+          command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
+workflows:
+  version: 2
+  release:
+    jobs:
+      - build
+```
+
+[Example][example]
+[Repository][repository]
+
+[example]: https://circleci.com/gh/aquasecurity/trivy-ci-test
+[repository]: https://github.com/aquasecurity/trivy-ci-test

docs/mkdocs/continuous-integration/github-actions.md

@@ -0,0 +1,7 @@
+- Here is the [Trivy Github Action][action]
+- The Microsoft Azure team have written a [container-scan action][azuer] that uses Trivy and Dockle
+- For full control over the options specified to Trivy, this [blog post][blog] describes adding Trivy into your own GitHub action workflows 
+
+[action]: https://github.com/aquasecurity/trivy-action
+[azure]: https://github.com/Azure/container-scan
+[blog]: https://blog.aquasec.com/devsecops-with-trivy-github-actions

docs/mkdocs/continuous-integration/gitlab-ci.md

@@ -0,0 +1,94 @@
+```
+$ cat .gitlab-ci.yml
+stages:
+  - test
+
+trivy:
+  stage: test
+  image: docker:stable
+  services:
+    - name: docker:dind
+      entrypoint: ["env", "-u", "DOCKER_HOST"]
+      command: ["dockerd-entrypoint.sh"]
+  variables:
+    DOCKER_HOST: tcp://docker:2375/
+    DOCKER_DRIVER: overlay2
+    # See https://github.com/docker-library/docker/pull/166
+    DOCKER_TLS_CERTDIR: ""
+    IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+  before_script:
+    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+    - echo $TRIVY_VERSION
+    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
+  allow_failure: true
+  script:
+    # Build image
+    - docker build -t $IMAGE .
+    # Build report
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    # Print report
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
+    # Fail on severe vulnerabilities
+    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
+  cache:
+    paths:
+      - .trivycache/
+  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+```
+
+[Example][example]
+[Repository][repository]
+
+### GitLab CI using Trivy container
+
+To scan a previously built image that has already been pushed into the
+GitLab container registry the following CI job manifest can be used.
+Note that `entrypoint` needs to be unset for the `script` section to work.
+In case of a non-public GitLab project Trivy additionally needs to
+authenticate to the registry to be able to pull your application image.
+Finally, it is not necessary to clone the project repo as we only work
+with the container image.
+
+```yaml
+container_scanning:
+  image:
+    name: docker.io/aquasec/trivy:latest
+    entrypoint: [""]
+  variables:
+    # No need to clone the repo, we exclusively work on artifacts.  See
+    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
+    GIT_STRATEGY: none
+    TRIVY_USERNAME: "$CI_REGISTRY_USER"
+    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
+    TRIVY_AUTH_URL: "$CI_REGISTRY"
+    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  script:
+    - trivy --version
+    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
+    - time trivy image --clear-cache
+    # update vulnerabilities db
+    - time trivy --download-db-only --no-progress --cache-dir .trivycache/
+    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
+    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
+        --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
+    # Prints full report
+    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
+    # Fails on high and critical vulnerabilities
+    - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+  cache:
+    paths:
+      - .trivycache/
+  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
+  artifacts:
+    when:                          always
+    reports:
+      container_scanning:          gl-container-scanning-report.json
+  tags:
+    - docker-runner
+```
+
+[example]: https://gitlab.com/aquasecurity/trivy-ci-test/pipelines
+[repository]: https://github.com/aquasecurity/trivy-ci-test

docs/mkdocs/continuous-integration/index.md

@@ -0,0 +1,3 @@
+Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
+
+Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.

docs/mkdocs/continuous-integration/private/docker-hub.md

@@ -0,0 +1,7 @@
+Docker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+You don't need to set ENV vars when download from public repository.
+
+```bash
+export TRIVY_USERNAME={DOCKERHUB_USERNAME}
+export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
+```

docs/mkdocs/continuous-integration/private/ecr.md

@@ -0,0 +1,4 @@
+Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
+You can use [AWS CLI's ENV Vars][env-var].
+
+[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

docs/mkdocs/continuous-integration/private/gcr.md

@@ -0,0 +1,7 @@
+Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+
+If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+```bash
+# must set TRIVY_USERNAME empty char
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
+```

docs/mkdocs/continuous-integration/private/index.md

@@ -0,0 +1,5 @@
+Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
+That's because it's easy to run in a CI process.
+
+All you have to do is install `Trivy` and set ENV vars.
+But, I can't recommend using ENV vars in your local machine to you.

docs/mkdocs/continuous-integration/private/self.md

@@ -0,0 +1,9 @@
+BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+
+```bash
+export TRIVY_USERNAME={USERNAME}
+export TRIVY_PASSWORD={PASSWORD}
+
+# if you want to use 80 port, use NonSSL
+export TRIVY_NON_SSL=true
+```

docs/mkdocs/continuous-integration/travis-ci.md

@@ -0,0 +1,27 @@
+```
+$ cat .travis.yml
+services:
+  - docker
+
+env:
+  global:
+    - COMMIT=${TRAVIS_COMMIT::8}
+
+before_install:
+  - docker build -t trivy-ci-test:${COMMIT} .
+  - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+  - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
+  - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
+script:
+  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
+cache:
+  directories:
+    - $HOME/.cache/trivy
+```
+
+[Example][example]
+[Repository][repository]
+
+[example]: https://travis-ci.org/aquasecurity/trivy-ci-test
+[repository]: https://github.com/aquasecurity/trivy-ci-test