After merging the initial implementation of our Gitlab pipeline container-scanning solution (T307523, [[ https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/36 | MR ]]), I noticed a couple of issues within [[ https://gitlab.wikimedia.org/repos/security/ci-cd-testing-gitlab-ci-security-templates | our testing repository ]]:
# The trivy output can be quite verbose when it finds vulnerabilities ([[ https://gitlab.wikimedia.org/repos/security/ci-cd-testing-gitlab-ci-security-templates/-/jobs/284589 | example ]]). Is there a way to make this less verbose? I not, I guess that's ok, as we can still get to the complete output ([[ https://gitlab.wikimedia.org/repos/security/ci-cd-testing-gitlab-ci-security-templates/-/jobs/284589/raw | example ]]), but that's a bit less ideal.
# The trivy job seems to be (potentially) returning successful exit codes even when it finds vulnerabilities ([[ https://gitlab.wikimedia.org/repos/security/ci-cd-testing-gitlab-ci-security-templates/-/pipelines/58187 | example pipeline ]], [[ https://gitlab.wikimedia.org/repos/security/ci-cd-testing-gitlab-ci-security-templates/-/jobs/284589 | example job ]]). I would imagine that if trivy finds any vulnerabilities, we'd want to return a positive exit code? Similar to how all of the other application security includes work?