Separatly test dependencies and Docker image.

This way, we don't enter all the steps in the CI if the dependencies
appear to be vulnerable.

.gitlab-ci.yml

@@ -56,6 +56,19 @@ test:
     expire_in: 1 week
     expose_as: coverageReport
 
+dep-scan:
+  stage: test
+  needs:
+    - compile
+  script:
+    - make trivy-scan-deps
+  artifacts:
+    reports:
+      dependency_scanning: .trivy/gl-scanning-report.json
+  cache:
+    paths:
+      - .trivy/.trivycache/
+
 dockerimage:
   stage: docker
   image: $DOCKER_REGISTRY/docker-make:latest
@@ -64,6 +77,7 @@ dockerimage:
       alias: docker
   needs:
     - compile
+    - dep-scan
     - test
   script:
     - docker login -u $DOCKER_REGISTRY_USER -p $DOCKER_REGISTRY_PASSWORD $DOCKER_REGISTRY
@@ -72,7 +86,7 @@ dockerimage:
     - docker tag $DOCKER_REGISTRY/library/alpine:latest alpine:latest
     - docker build -t $IMAGE_NAME_ENV .
     # Run vulnerability scan before pushing the image
-    - make trivy DOCKER_TAG=$IMAGE_NAME_ENV
+    - make trivy-scan-docker DOCKER_TAG=$IMAGE_NAME_ENV
     - docker push $IMAGE_NAME_ENV
     - docker tag $IMAGE_NAME_ENV $IMAGE_NAME_GENERAL
     - docker push $IMAGE_NAME_GENERAL
@@ -81,7 +95,7 @@ dockerimage:
       - .trivy/.trivycache/
   artifacts:
     reports:
-      container_scanning: .trivy/gl-container-scanning-report.json
+      container_scanning: .trivy/gl-scanning-report.json
 
 nomadimage:
   stage: docker
@@ -107,6 +121,7 @@ test_e2e:
   stage: e2e
   needs:
     - compile
+    - dep-scan
     - nomadimage
   services:
     - name: docker:dind

Makefile

@@ -19,6 +19,7 @@ deps: ## Get the dependencies
 	@go get -v -d ./...
 	@go install github.com/vektra/mockery/v2@latest
 
+
 .PHONY: git-hooks
 git-dir = $(shell git rev-parse --git-dir)
 git-hooks: $(git-dir)/hooks/pre-commit ## Install the git-hooks
@@ -100,14 +101,26 @@ TRIVY_VERSION = $(shell wget -qO - "https://api.github.com/repos/aquasecurity/tr
 	@wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz -O - | tar -zxvf - -C .trivy
 	@chmod +x .trivy/trivy
 
+# trivy only comes with a template for container_scanning but we want dependency_scanning here
+.trivy/contrib/gitlab-dep.tpl: .trivy/trivy
+	@sed -e "s/container_scanning/dependency_scanning/" .trivy/contrib/gitlab.tpl > $@
+
+.PHONY: trivy-scan-deps
+trivy-scan-deps: poseidon .trivy/contrib/gitlab-dep.tpl ## Run trivy vulnerability against our dependencies
+	make trivy TRIVY_COMMAND="fs" TRIVY_TARGET="--skip-dirs .trivy --skip-files go.sum ." TRIVY_TEMPLATE="@.trivy/contrib/gitlab-dep.tpl"
+
+.PHONY: trivy-scan-docker
+trivy-scan-docker: ## Run trivy vulnerability scanner against the docker image
+	make trivy TRIVY_COMMAND="i" TRIVY_TARGET="--skip-files home/api/poseidon $(DOCKER_TAG)" TRIVY_TEMPLATE="@.trivy/contrib/gitlab.tpl"
+
 .PHONY: trivy
-trivy: .trivy/trivy ## Run trivy vulnerability scanner
+trivy: .trivy/trivy
 	# Build report
-	@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress --format template --template "@.trivy/contrib/gitlab.tpl" -o .trivy/gl-container-scanning-report.json $(DOCKER_TAG)
+	@.trivy/trivy --cache-dir .trivy/.trivycache/ $(TRIVY_COMMAND) --exit-code 0 --no-progress --format template --template $(TRIVY_TEMPLATE) -o .trivy/gl-scanning-report.json $(TRIVY_TARGET)
 	# Print report
-	@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress $(DOCKER_TAG)
+	@.trivy/trivy --cache-dir .trivy/.trivycache/ $(TRIVY_COMMAND) --exit-code 0 --no-progress $(TRIVY_TARGET)
 	# Fail on severe vulnerabilities
-	@.trivy/trivy --exit-code 1 --cache-dir .trivy/.trivycache/ --severity CRITICAL --no-progress $(DOCKER_TAG)
+	@.trivy/trivy --cache-dir .trivy/.trivycache/ $(TRIVY_COMMAND) --exit-code 1 --severity HIGH,CRITICAL --no-progress $(TRIVY_TARGET)
 
 .PHONY: help
 HELP_FORMAT="    \033[36m%-25s\033[0m %s\n"