Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report vulnerability filtering: support scoped ignores #4022

Closed
jof opened this issue Apr 10, 2023 · 2 comments · Fixed by #5070
Closed

Report vulnerability filtering: support scoped ignores #4022

jof opened this issue Apr 10, 2023 · 2 comments · Fixed by #5070
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.45.0

Comments

@jof
Copy link
Contributor

jof commented Apr 10, 2023
edited
Loading

Context:

  • As a new user of Trivy, coming from tfsec, Trivy scans and reports for potential findings in my repositories that tfsec never looked for.
  • To support adding Trivy to existing repository CI systems, it is useful to temporarily ignore or filter some findings.
  • In existing Terraform use cases, inline filtering works fine. However, Trivy supports scanning some configuration formats that will be non-trivial to add inline comment-filtering to (e.g. Dockerfiles Support Inline Filtering #2961)
  • The most obvious feature to reach for is the .trivyignore file (https://aquasecurity.github.io/trivy/v0.39/docs/vulnerability/examples/filter/#by-vulnerability-ids)
    • But, this comes with a huge caveat: the .trivyignore file has repo-wide scope.
    • In case a new vulnerability of a known-and-intentionally-ignored type (for example, risks in a local dev VM aren't the same as production, but the code for both might share a repository), Trivy might miss a new finding.

Request:

Rather than wait for perfect inline filtering in every possible configuration format, we could enable per-file, per-path, or per-pattern filtering of findings in files before making any output or reporing.

For example, I could imagine a today-simple .trivyignore file like

CVE-123
CVE-456
AVD-DS-0002

becoming a more powerful and improved .trivyignore.yaml file:

---
ignores:
  - CVE-123
  - CVE-456
path_ignores:
  "some/sub/directory/Dockerfile":
    - AVD-DS-0002
@jof jof added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 10, 2023
@itaysk itaysk added the scan/misconfiguration Issues relating to misconfiguration scanning label Apr 10, 2023
@huornlmj
Copy link

huornlmj commented May 5, 2023

#4131 & #3900 also relate to this

@knqyf263 knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 8, 2023
@knqyf263
Copy link
Collaborator

knqyf263 commented May 8, 2023

It makes sense, and I actually have the same idea in my mind. We hope to work on this task shortly.

@knqyf263 knqyf263 added this to the v0.42.0 milestone May 8, 2023
@knqyf263 knqyf263 mentioned this issue May 14, 2023
Closed
@knqyf263 knqyf263 modified the milestones: v0.42.0, v0.43.0 May 31, 2023
@knqyf263 knqyf263 modified the milestones: v0.43.0, v0.44.0 Jul 2, 2023
@knqyf263 knqyf263 modified the milestones: v0.44.0, v0.45.0 Jul 30, 2023
@knqyf263 knqyf263 mentioned this issue Aug 30, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.45.0
Development

Successfully merging a pull request may close this issue.

feat: add support for .trivyignore.yaml knqyf263/trivy
4 participants
@jof @itaysk @knqyf263 @huornlmj