Trivy uses a .trivyignore file to allow CVEs to be explicitly ignored. The --ignoreunfixed flag tells Trivy to ignore all unfixed CVEs in a distro, but not all distros provide unfixed data and sometimes it is preferable to explicitly specify CVEs you want to ignore
This pull request adds the option to provide a git URL and revision as the source of the .trivyignore file, which could be the source for the container, or a company wide config repo. If the Git URL is not provided then the tasks work as before.
The nodejs pipeline has also been altered to provide the project git URL to the trivy scan task, so is a .trivyignore file is in the root of the project, then it will be used in the scan
This addresses https://github.com/cloud-native-toolkit/planning/issues/876
Signed-off-by: Brian Innes binnes@uk.ibm.com
Trivy uses a .trivyignore file to allow CVEs to be explicitly ignored. The --ignoreunfixed flag tells Trivy to ignore all unfixed CVEs in a distro, but not all distros provide unfixed data and sometimes it is preferable to explicitly specify CVEs you want to ignore This pull request adds the option to provide a git URL and revision as the source of the .trivyignore file, which could be the source for the container, or a company wide config repo. If the Git URL is not provided then the tasks work as before. The nodejs pipeline has also been altered to provide the project git URL to the trivy scan task, so is a .trivyignore file is in the root of the project, then it will be used in the scan This addresses https://github.com/cloud-native-toolkit/planning/issues/876