Skip to content

Commit

Permalink
docs: add example of creating whitelist of checks (#7821)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <[email protected]>
  • Loading branch information
nikpivkin authored Oct 31, 2024
1 parent 194d4ab commit 7654b2e
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -477,13 +477,13 @@ ignore {
```
```bash
trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
trivy image --ignore-policy examples/ignore-policies/basic.rego centos:7
```
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
You can find more example checks [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
You can create a whitelist of checks using Rego, see the detailed [example](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies/whitelist.rego). Additional examples are available [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/ignore-policies).
### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |
Expand Down
File renamed without changes.
File renamed without changes.
13 changes: 13 additions & 0 deletions examples/ignore-policies/whitelist.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package trivy

import rego.v1

allowed_checks := {
"AVD-AWS-0089"
}

default ignore := false

ignore if not is_check_allowed

is_check_allowed if input.AVDID in allowed_checks

0 comments on commit 7654b2e

Please sign in to comment.