Added security scanning

.gitlab/.gitlab-ci.yaml

@@ -24,7 +24,9 @@ variables:
 
 .helm:
   image:
-    name: docker.io/library/alpine:3.21.3
+    # https://gallery.ecr.aws/docker/library/alpine
+    name: public.ecr.aws/docker/library/alpine:3.21.3
+    # name: docker.io/library/alpine:3.21.3
     entrypoint: ["/bin/sh", "-c"]
   variables:
     APK_CACHE_DIR: "${CI_PROJECT_DIR}/.cache/apk"
@@ -77,8 +79,9 @@ variables:
     key: "${CI_COMMIT_REF_SLUG}-trivy"
     paths:
     - "${TRIVY_CACHE_DIR}"
-  stage: scan
+  # stage: scan
   allow_failure: true # allows pipeline stage to fail to create warnings without stopping pipelines
 
 include:
+- local: /.gitlab/trivy/local-repo-scan.yaml
 - local: /.gitlab/helm/lint.yaml

.gitlab/trivy/local-repo-scan.yaml

@@ -0,0 +1,10 @@
+local-repo-scan:
+  extends: [.trivy]
+  script:
+  # generate a SAST report for all severity levels to later be used
+  - trivy repo . --format json -o ${REPORT_PATH}
+  # We use trivy convert to fail this pipeline if there are any vulnerabilities that meet our severity threshold
+  - trivy convert --exit-code 1 --severity ${SEVERITY_THRESHOLD} ${REPORT_PATH}
+  artifacts:
+    reports:
+      sast: ${REPORT_PATH}