search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
763 stars 220 forks source link

trivyignores does not support yaml/json and non-yaml files #284

Open gamethis opened 9 months ago

gamethis commented 9 months ago

Issue

The current version of the trivy action does not take into account that Trivy only supports YAML/JSON if the file has the suffix .yaml|.json so when you put the following into the action parameters

trivyignores: "./.trivyignore.yaml"

it makes a file that is with out a .yaml|.json ending. This as a result makes trivy not read the file and ignore the input.

reproduction of issue

I have created a repo with the files to demonstrate this

https://github.com/gamethis/trivy_issues

you can see the scenario by running trivy.shit will work. if you run trivy_fail.shit will simulate what the action does currently and will fail.

Desired Action outcome

Would like to see an action updated to either check for yaml|json and add another --ignorefile .trivyignores.yaml to use or an input parameter that will allow for yaml|json style ignore files.

cswilliams commented 8 months ago

I would also love to see this added. I would like to use the --ignorefile option for ignoring some false positives from the secret scanner. While I could use the non yaml .trivyignore, it doesn't support ignoring by file path like the yaml version does (but please correct me if I'm wrong).

tkatila commented 7 months ago

Yes please.

loljawn commented 7 months ago

Agreed, would like support for yaml ignore files

Edit: current version is 0.48.1 where yaml support was added 0.45. it should be supported.

jvassbo commented 6 months ago

You can bypass this problem by using configfile trivy-config: trivy.yaml and define ignorefile: .trivyignore.yaml here.

vdavydenko-asrc-core commented 5 months ago

Yeah, this is needed.