Undo extra trivy changes

HHS · Nov 14, 2024 · 3883512 · 3883512
1 parent f2ef7cf
commit 3883512
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 18 deletions.
diff --git a/.github/workflows/ci-analytics-vulnerability-scans.yml b/.github/workflows/ci-analytics-vulnerability-scans.yml
@@ -8,7 +8,7 @@ on:
     paths:
       - .grype.yml
       - .hadolint.yaml
-      - .trivyignore.yaml
+      - .trivyignore
       - .github/workflows/vulnerability-scans.yml
       - analytics/Dockerfile
       - analytics/pyproject.toml

diff --git a/.github/workflows/ci-api-vulnerability-scans.yml b/.github/workflows/ci-api-vulnerability-scans.yml
@@ -8,7 +8,7 @@ on:
     paths:
       - .grype.yml
       - .hadolint.yaml
-      - .trivyignore.yaml
+      - .trivyignore
       - .github/workflows/vulnerability-scans.yml
       - api/Dockerfile
       - api/pyproject.toml

diff --git a/.github/workflows/ci-frontend-vulnerability-scans.yml b/.github/workflows/ci-frontend-vulnerability-scans.yml
@@ -8,7 +8,7 @@ on:
     paths:
       - .grype.yml
       - .hadolint.yaml
-      - .trivyignore.yaml
+      - .trivyignore
       - .github/workflows/vulnerability-scans.yml
       - frontend/Dockerfile
       - frontendpi/package.json

diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
@@ -161,6 +161,8 @@ jobs:
         env:
           TRIVY_SKIP_DB_UPDATE: true
           TRIVY_SKIP_JAVA_DB_UPDATE: true
+          # PyJWT has an example with a fake JWT that Trivy flags.
+          # see: https://github.com/aquasecurity/trivy/discussions/5772
           TRIVY_SKIP_FILES: "/api/.venv/lib/python*/site-packages/PyJWT-*.dist-info/METADATA"
 
       - name: Save output to workflow summary

diff --git a/.trivyignore.yaml → .trivyignore b/.trivyignore.yaml → .trivyignore
@@ -1,22 +1,9 @@
-# See: https://aquasecurity.github.io/trivy/v0.56/docs/configuration/filtering/#trivyignore
-# for details on formatting this file.
-#
 # List of vulnerabilities to ignore for the trivy scan
-
 # Please add safelists in the following format to make it easier when checking
 # Package/module name: URL to vulnerability for checking updates
 #  Versions:     URL to the version history
 #  Dependencies: Name of any other packages or modules that are dependent on this version
 #                 Link to the dependencies for ease of checking for updates
 #  Issue:         Why there is a finding and why this is here or not been removed
 #  Last checked:  Date last checked in scans
-
-# vulnerabilities:
-#   - id: CVE-1234-5678
-
-secrets:
-  # PyJWT has an example with a fake JWT that Trivy flags.
-  # see: https://github.com/aquasecurity/trivy/discussions/5772
-  id: jwt-token
-  paths:
-    - "api/.venv/lib/python3.13/site-packages/PyJWT-2.9.0.dist-info/METADATA"
+#The-CVE-or-vuln-id # Remove comment at start of line
diff --git a/documentation/infra/vulnerability-management.md b/documentation/infra/vulnerability-management.md
@@ -35,7 +35,7 @@ The hadolint scanner allows you to ignore or safelist certain findings, which ca
 
 ### Trivy
 
-The trivy scanner allows you to ignore or safelist certain findings, which can be specified in the [.trivyignore.yaml](../../.trivyignore.yaml) file. There is a template file here that you can use in your repo.
+The trivy scanner allows you to ignore or safelist certain findings, which can be specified in the [.trivyignore](../../.trivyignore) file. There is a template file here that you can use in your repo.
 
 ### Anchore