DanielMcKracken
commented
1 year ago Hi, seems like https://github.com/aquasecurity/harbor-scanner-trivy/blob/main/pkg/trivy/wrapper.go#L120 is the right place to include the trivy-ignore command line option, but I'm not sure where the .trivyignore file is located. I mean it's not inside the image, i.e. it needs to be provided by harbor itself.
hoerup
Is your feature request related to a problem? Please describe. When scanning images with trivy, there will be a report with all found CVEs. That's great. One can also decide to allow image distribution with an allow list. Unfortunately, the trivy report always shows the full report. There is now way to filter allowed CVEs from the report, too.
Describe the solution you'd like We have the following use-case. Whenever an image was pushed in harbor, it will be scanned with trivy. After that a webhook is called pushing the result of the scan to a team to a simple service which will then forward it to a team channel, if there a high or critical issues. Now, the team is already aware of irrelevant or currently not fixable CVEs. They would like to have them (temporarily) ignored and only get informed if there are new CVEs.
In practice I could imagine a similar configuration setting as is already available with the allow-list but for the trivy report itself.
For instance, manual trivy scans (not in harbor), can be configured (by means of e.g. a .trivyignore file) to only show relevant CVEs to a user. I'd be happy to see something similar in harbor where a .trivyignore could be configured on a system-wide or project-wide scope.
Forwarded from: https://github.com/goharbor/harbor/issues/18225