search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
807 stars 234 forks source link

`skip-dirs` does not get applied #194

Open AntonOellerer opened 1 year ago

AntonOellerer commented 1 year ago

Hey, For this project, I am trying to configure trivy to skip analyzing the examples folder the following way:

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivy-config: trivy.yaml
          skip-dirs: examples

trivy.yaml:

format: template
template: "@/contrib/html.tpl"
exit-code: 1
severity: CRITICAL,HIGH
output: trivy-results.html

The directory layout of the project is so that the top level directory containes src/ and examples/, with examples further containing a directory, in which a package-lock.json lies Do you know what might be the issue here?

AntonOellerer commented 1 year ago

Ok, I found the issue: Apparantely, when relying on a trivy-config file, the skip-dirs value gets ignored no matter whether it is set in the config or not

AntonOellerer commented 1 year ago

It would probably good to either specify that using the trivy-config parameter causes the other arguments to be ignored, or rewrite the logic s.t. it is not an either/or exclusion