trivyignores not working

[arairyus]

Hi I have a problem with trivyignores, when I run it locally, I can ignore without any problem.

config

.trivyignore

# CRITICAL
AVD-GCP-0027

workflow.yml

env.WORKING_DIRECTORY = terraform/mask

      - name: Run Trivy vulnerability scanner in config mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          scan-ref: ${{ env.WORKING_DIRECTORY }}
          trivy-config: terraform/trivy.yaml
          trivyignores: ${{ env.WORKING_DIRECTORY }}/.trivyignore

Found ignorefile 'terraform/**mask**/.trivyignore':
# CRITICAL
AVD-GCP-0027
Running Trivy with trivy.yaml config from:  terraform/trivy.yaml
2024-04-17T03:39:36.626Z    INFO    Loaded terraform/trivy.yaml
2024-04-17T03:39:36.6[29](https://github.com/aeonnext/anx1-gb-delivery/actions/runs/8715961756/job/23908684753#step:12:30)Z INFO    Misconfiguration scanning is enabled
2024-04-17T03:39:36.629Z    INFO    Need to update the built-in policies
2024-04-17T03:39:36.629Z    INFO    Downloading the built-in policies...
46.13 KiB / 46.13 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-17T03:39:40.494Z    INFO    Detected config files: 62

.terraform/modules/***/modules/network/modules/fabric-net-firewall/main.tf (terraform)
============================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)

CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.

See https://avd.aquasec.com/misconfig/avd-gcp-0027

[arairyus]

I mean that this mistake is only in the comment, right?

yes, I fixed comment.

[afdesk]

I mean that this mistake is only in the comment, right?

yes, I fixed comment.

sorry for confusion, i saw the logs:

Found ignorefile 'terraform/mask/.trivyignore':

[arairyus]

local

% trivy config terraform/*mask* -c terraform/trivy.yaml --ignorefile terraform/*mask*/.trivyignore
2024-04-17T14:01:09.118+0900      INFO     Loaded terraform/trivy.yaml
2024-04-17T14:01:09.137+0900    INFO     Misconfiguration scanning is enabled
2024-04-17T14:01:13.002+0900    INFO     Detected config files: 62

[afdesk]

it looks there is a problem mistake here:

https://github.com/aquasecurity/trivy-action/blob/207cd40078971bb7a078f8504c2061f908569449/entrypoint.sh#L145-L158

[arairyus]

full path only?

README.md comma-separated list of relative paths in repository to one or more .trivyignore files

[afdesk]

full path only?

README.md comma-separated list of relative paths in repository to one or more .trivyignore files

it's a bit strange, because there are no any issues in my demo repo:

Run aquasecurity/trivy-action@master

Found ignorefile 'terraform/mask/.trivyignore':
# CRITICAL
AVD-GCP-0027Running trivy with options: trivy config  --format table --severity  UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --ignorefile ./trivyignores --quiet .
Global options:  

terraform/main.tf (terraform)
=============================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

for this repo https://github.com/afdesk/demo-trivy-action

[afdesk]

local:

$ trivy config .
2024-04-17T11:40:46.564+0600    INFO    Misconfiguration scanning is enabled
2024-04-17T11:40:47.544+0600    INFO    Detected config files: 2

terraform/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.

See https://avd.aquasec.com/misconfig/avd-gcp-0027
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform/main.tf:1-15
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "google_compute_firewall" "default" {
   2 │   name    = "test-firewall"
   3 │   network = google_compute_network.default.name
   4 │ 
   5 │   allow {
   6 │     protocol = "icmp"
   7 │   }
   8 │ 
   9 └   allow {
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

$ trivy config --ignorefile terraform/mask/.trivyignore .
2024-04-17T11:41:15.415+0600    INFO    Misconfiguration scanning is enabled
2024-04-17T11:41:16.386+0600    INFO    Detected config files: 2

terraform/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[afdesk]

@arairyus maybe your trivy.yaml contains ignorefile: .trivyignore?

[arairyus]

@afdesk

my trivy.yml

timeout: 10m
format: table
dependency-tree: true
list-all-pkgs: true
exit-code: 1
severity:
  - UNKNOWN
  - LOW
  - MEDIUM
  - HIGH
  - CRITICAL
scan:
  skip-files:
    - '**/.terraform/modules/*/examples/**'
    - '**/.terraform/modules/*/codelabs/**'
    - '**/.terraform/modules/*/test/**'
    - '**/.terraform/**/*.yaml'

[arairyus]

jobs:
  terraform-plan:
    name: 'Terraform Plan'
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
        working-directory: ${{ env.WORKING_DIRECTORY }}

Is it because of the working dilecotry set up?

[arairyus]

I removed trivy-config and trivyignore worked!

[arairyus]

If trivy-config is set, can't other options be set?

https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L187-L204