Merge pull request #4 from ambient-innovation/add-config-ignore

added trivy ignore file support
ambient-innovation · Mar 13, 2024 · 97ae96e · 97ae96e
2 parents 6152148 + a656216
commit 97ae96e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -75,6 +75,9 @@ backend:config scanning:
 ## Advanced Settings  
 The config scanning job exposes a few more variables by which you can adjust the scanning if needed. The default settings are the recommendation of the Secret Heroes, though.  
 
+### Use trivy ignore file
+Set TRIVY_IGNOREFILE_DIR to target trivyignore file as an environment variable to use ignore file. Example value: `.trivyignore.yaml`
+
 ### Change minimum severity reported
 By adding a new variable called `SEVERITY` to your job, you can change which severity items should be reported. The default is to report UNKNOWN, MEDIUM, HIGH and CRITICAL config issues. The remaining options are: `LOW`
 Trivy requires a full list of severities to report. To report all severities from LOW and higher for example, you need to specify a comma-separated list like so: `SEVERITY: "LOW,MEDIUM,HIGH,CRITICAL,UNKNOWN"`

diff --git a/config-checks.template.yaml b/config-checks.template.yaml
@@ -15,15 +15,16 @@
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
     EXIT_CODE_ON_FINDINGS: 1
+    TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
     # Report results to json file
-    - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
     # Report results as table
-    - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths:
       - .trivycache/

diff --git a/config-checks.yaml b/config-checks.yaml
@@ -18,15 +18,16 @@ config_scanning:
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
     EXIT_CODE_ON_FINDINGS: 1
+    TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
     # Report results to json file
-    - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
     # Report results as table
-    - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths:
       - .trivycache/