Closed arairyus closed 5 months ago
I mean that this mistake is only in the comment, right?
yes, I fixed comment.
I mean that this mistake is only in the comment, right?
yes, I fixed comment.
sorry for confusion, i saw the logs:
Found ignorefile 'terraform/mask/.trivyignore':
local
% trivy config terraform/*mask* -c terraform/trivy.yaml --ignorefile terraform/*mask*/.trivyignore
2024-04-17T14:01:09.118+0900 INFO Loaded terraform/trivy.yaml
2024-04-17T14:01:09.137+0900 INFO Misconfiguration scanning is enabled
2024-04-17T14:01:13.002+0900 INFO Detected config files: 62
it looks there is a problem mistake here:
full path only?
README.md comma-separated list of relative paths in repository to one or more .trivyignore files
full path only?
README.md comma-separated list of relative paths in repository to one or more .trivyignore files
it's a bit strange, because there are no any issues in my demo repo:
Run aquasecurity/trivy-action@master
Found ignorefile 'terraform/mask/.trivyignore':
# CRITICAL
AVD-GCP-0027Running trivy with options: trivy config --format table --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --ignorefile ./trivyignores --quiet .
Global options:
terraform/main.tf (terraform)
=============================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
for this repo https://github.com/afdesk/demo-trivy-action
local:
$ trivy config .
2024-04-17T11:40:46.564+0600 INFO Misconfiguration scanning is enabled
2024-04-17T11:40:47.544+0600 INFO Detected config files: 2
terraform/main.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.
Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
See https://avd.aquasec.com/misconfig/avd-gcp-0027
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform/main.tf:1-15
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "google_compute_firewall" "default" {
2 │ name = "test-firewall"
3 │ network = google_compute_network.default.name
4 │
5 │ allow {
6 │ protocol = "icmp"
7 │ }
8 │
9 └ allow {
..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
$ trivy config --ignorefile terraform/mask/.trivyignore .
2024-04-17T11:41:15.415+0600 INFO Misconfiguration scanning is enabled
2024-04-17T11:41:16.386+0600 INFO Detected config files: 2
terraform/main.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
@arairyus maybe your trivy.yaml
contains ignorefile: .trivyignore
?
@afdesk
my trivy.yml
timeout: 10m
format: table
dependency-tree: true
list-all-pkgs: true
exit-code: 1
severity:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
scan:
skip-files:
- '**/.terraform/modules/*/examples/**'
- '**/.terraform/modules/*/codelabs/**'
- '**/.terraform/modules/*/test/**'
- '**/.terraform/**/*.yaml'
jobs:
terraform-plan:
name: 'Terraform Plan'
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: ${{ env.WORKING_DIRECTORY }}
Is it because of the working dilecotry set up?
I removed trivy-config and trivyignore worked!
If trivy-config is set, can't other options be set?
https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L187-L204
Hi I have a problem with trivyignores, when I run it locally, I can ignore without any problem.
config
.trivyignore
workflow.yml
env.WORKING_DIRECTORY = terraform/mask