vlsecurity/gitlab-trivy-security-checks

Gitlab's included container scanning only scans docker images and can't read lockfiles. To fix this, you need to run a Trivy instance yourself and tell it to scan the filesystem instead. This config template can be included in your .gitlab-ci.yml to get the scanning job for free (similar to how the gitlab container scanning thing works).

MIT