SYS-598 add trivy scan; update samba

.image-gitlab-ci.yml

@@ -9,6 +9,7 @@ stages:
   - Static Code Analysis
   - Create Image
   - Functional Tests
+  - Security Scan
   - Promote Image
 
 image: docker:19.03.8
@@ -34,6 +35,40 @@ test:
   stage: Functional Tests
   script: apk add make && cd images/$IMAGE && make test_functional
 
+security_scan_trivy:
+  image:
+    name: aquasec/trivy:latest
+    entrypoint: ["/bin/sh"]
+  stage: Security Scan
+  allow_failure: true
+  interruptible: true
+  variables:
+    GIT_STRATEGY: none
+    IMAGE_NAME: ${REGISTRY}/${IMAGE}:${TAG}
+    TRIVY_DEBUG: "true"
+    TRIVY_FORMAT: json
+    TRIVY_SEVERITY: HIGH,CRITICAL
+    TRIVY_EXIT_CODE: 1
+    TRIVY_VULN_TYPE: os,library
+    TRIVY_TIMEOUT: 5m
+    # TRIVY_NO_PROGRESS: "true"
+    TRIVY_OUTPUT: gl-container-scanning-report.json
+  timeout: 5m
+  retry:
+    max: 2
+    when:
+    - runner_system_failure
+    - stuck_or_timeout_failure
+  when: on_success
+  script: [ trivy ${IMAGE_NAME} ]
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+    # expire_in: 1 day
+  only:
+    refs: [ merge_requests ]
+    variables: [ $IMAGE_NAME ]
+
 promote_image:
   stage: Promote Image
   <<: *registry_login

images/samba-dc/Dockerfile

@@ -24,7 +24,7 @@ ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
     WINBIND_USE_DEFAULT_DOMAIN=yes \
     WORKGROUP=AD
 
-ARG SAMBA_VERSION=4.18.3-r0
+ARG SAMBA_VERSION=4.18.5-r0
 
 COPY *.conf.j2 /root/
 COPY entrypoint.sh /usr/local/bin/

images/samba/Dockerfile

@@ -8,7 +8,7 @@ LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG SAMBA_VERSION=4.18.3-r0
+ARG SAMBA_VERSION=4.18.5-r0
 ENV LOGON_DRIVE=H \
     NETBIOS_NAME=samba \
     SERVER_STRING="Samba Server" \