Skip to main content
Version: 1.4

CI Process Integration

The system supports integrating vulnerability scanning into GitLab CI/CD pipelines with the ability to send results to ASOC.

Environment Variable Configuration

The following variables must be defined for the script to work:

VariableDescription
IMAGE_TO_SCANDocker image to scan (format: yourimagename/latest)
REPORT_FILEName of the file to save the report (default: trivy-report.json)
API_URLAPI URL for sending results: http://your-tronasoc-url/api/v1/check/{check_id}/external
API_TOKENAPI token for authentication in TRON.ASOC (format: asoc-your_api_token_here)

These variables must be defined in the variables section of the .gitlab-ci.yml file.

Example CI/CD Pipeline Implementation (Trivy)

The pipeline consists of two stages:

  1. scan - scanning the image for vulnerabilities
  2. upload - sending results to ASOC
stages:
  - scan
  - upload

variables:
  IMAGE_TO_SCAN: "anaisurlichs/cns-website:0.0.6"  # Target Docker image
  REPORT_FILE: "trivy-report.json"                 # Report file
  API_URL: "http://example.asoc.ximi.group/api/v1/check/{check_id}/external"
  API_TOKEN: "asoc-exampletoken"                  # Protected access token

scan_image:
  stage: scan
  image: aquasec/trivy:latest  # Official Trivy image
  script:
    - trivy image --format json --output ${REPORT_FILE} ${IMAGE_TO_SCAN}
    - echo "[INFO] Scanning completed. Report saved to ${REPORT_FILE}"
  artifacts:
    paths:
      - ${REPORT_FILE}
    when: always  # Save artifacts even on errors
    expire_in: 1 week  # Artifact storage period

upload_report:
  stage: upload
  image: curlimages/curl:latest  # Image with curl
  script:
    - echo "[INFO] Sending report ${REPORT_FILE} to ${API_URL}"
    - >
      curl --fail --location "${API_URL}" \
        --header "x-api-token: ${API_TOKEN}" \
        --header "Content-Type: application/json" \
        --data-binary @"${REPORT_FILE}"
  dependencies:
    - scan_image  # Wait for scanning to complete

Example CI/CD Pipeline Implementation (Grype)

grype_scan:
  image: anchore/grype:latest
  stage: scan
  script:
    - echo "[INFO] Начато сканирование образа ${IMAGE_TO_SCAN}"
    - grype ${IMAGE_TO_SCAN} --output json --file ${REPORT_FILE}
    - test -f ${REPORT_FILE} && echo "[SUCCESS] Отчёт сохранён в ${REPORT_FILE}"
  artifacts:
    paths:
      - ${REPORT_FILE}
    when: always

Recommendations

  • For existing reports, only the upload stage can be used
  • All secret values (API_TOKEN) should be stored in GitLab's protected variables
  • For other tools (Semgrep, KICS, etc.), you need to modify:
    • The Docker image in the image field
    • The scanning command in the script section