CLAassistant
commented
2 months ago
All committers have signed the CLA.
Closed furan917 closed 2 weeks ago
CLAassistant
commented
2 months ago
All committers have signed the CLA.
furan917
commented
4 weeks ago @simar7 Just wanted to check, is this something that would be of interest to the project?
If not I'm happy to continue internally build from the trivy images and add in sed changes as my team requires, so no pressure.
simar7
commented
4 weeks ago Since Trivy added support for supplying a a configuration file via trivy-config flag, it's possible to supply a ignorefile: directive within the config file as well.
While I understand the approach you have, I would still favour keeping trivy-action logic simple and passing further functionality via the config file instead.
furan917
commented
2 weeks ago Sorry forgot to close this, doing so now.
A suggestion of how to tackle the https://github.com/aquasecurity/trivy-action/issues/348 issue I created, which I then found is a duplicate of https://github.com/aquasecurity/trivy-action/issues/284 (My bad sorry)
This proposes to have a conditional check if the files passed in are yml/yaml or not, and push them to their respective trivyignores file. There is also an error added in if a mix is used as trivy cannot support multiple ignore files. Though this could be weakened to a warning with 1 set of files taking precedence.
Currently the process cats a file as it is found, though it might be more useful to cat the fully completed trivyignore file so users can see the end result to validate the file builds as they expect? But thats just a suggestion.