Open simar7 opened 3 weeks ago
@simar7 @nikpivkin Does the misconfiguration scanner allow disabling checks by ID? When scanning image metadata, we want to pass AVD-DS-0011 as a disabled check.
@simar7 @nikpivkin Does the misconfiguration scanner allow disabling checks by ID? When scanning image metadata, we want to pass AVD-DS-0011 as a disabled check.
@knqyf263 currently we don't but for my own understanding, I'd like to know how we can pass the info when scanning Dockerfiles to the misconf scanner, to purposefully ignore a check just for the image metadata.
From my understanding, we pass the Dockerfile as such. If we add another option in the misconfiguration scanner, how will the analyzer use it?
It's certainly an interesting use case which I'd like to consider. It's more on the lines of disabling a check, but not completely ignoring it for all inputs. IOW, more granular than a simple selector or subtype based filter can accomplish today.
@simar7 This is an interesting feature. It will disable the AVD-AWS-0169 check for all scanners except aws
.
I may be missing something, but I meant to pass DisableCheckIDs
here.
https://github.com/aquasecurity/trivy/blob/efdbd8f19ab0ab0c3b48293d43e51c81b7b03b89/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go#L30
This analyze is used only when scanning image configuration (a.k.a. history) and doesn't need AVD-DS-0011.
Discussed in https://github.com/aquasecurity/trivy/discussions/7320