Revert security-checks.yaml to be a full copy

config-checks.yaml

@@ -2,11 +2,37 @@ include:
   - remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.template.yaml
 
 config_scanning:
-  allow_failure: !reference [ .config_scanning, allow_failure ]
-  artifacts: !reference [ .config_scanning, artifacts ]
-  cache: !reference [ .config_scanning, cache ]
-  image: !reference [ .config_scanning, image ]
-  script: !reference [ .config_scanning, script ]
-  stage: !reference [ .config_scanning, stage ]
-  tags: !reference [ .config_scanning, tags ]
-  variables: !reference [ .config_scanning, variables ]
+  image: 
+    name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/aquasec/trivy
+    entrypoint: [""]
+  tags:
+    - small-runner
+  stage: test
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    SEVERITY: "MEDIUM,HIGH,CRITICAL,UNKNOWN"
+    TRIVY_SEVERITY: "$SEVERITY"    
+    TRIVY_CACHE_DIR: ".trivycache/"
+    # Set to "backend" and "frontend" in the respective jobs in mono-repos.
+    DIRECTORY: "./"
+    # Is like that for backward-compatibility, previously we only had DIRECTORY.
+    FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
+    EXIT_CODE_ON_FINDINGS: 1
+  before_script:
+    - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
+    - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
+  allow_failure: true
+  script:
+    # Report results to json file
+    - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
+    # Report results as table
+    - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    paths:
+      - $FILENAME
+    reports:
+      codequality: $FILENAME
+    when: always