diff --git a/README.md b/README.md index 4469137..06416e0 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ backend:config scanning: ## Advanced Settings The config scanning job exposes a few more variables by which you can adjust the scanning if needed. The default settings are the recommendation of the Secret Heroes, though. +### Use trivy ignore file +Set TRIVY_IGNOREFILE_DIR to target trivyignore file as an environment variable to use ignore file. Example value: `.trivyignore.yaml` + ### Change minimum severity reported By adding a new variable called `SEVERITY` to your job, you can change which severity items should be reported. The default is to report UNKNOWN, MEDIUM, HIGH and CRITICAL config issues. The remaining options are: `LOW` Trivy requires a full list of severities to report. To report all severities from LOW and higher for example, you need to specify a comma-separated list like so: `SEVERITY: "LOW,MEDIUM,HIGH,CRITICAL,UNKNOWN"` diff --git a/config-checks.template.yaml b/config-checks.template.yaml index ad30287..34f1bdf 100644 --- a/config-checks.template.yaml +++ b/config-checks.template.yaml @@ -15,15 +15,16 @@ # Is like that for backward-compatibility, previously we only had DIRECTORY. FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json" EXIT_CODE_ON_FINDINGS: 1 + TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml" before_script: - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi allow_failure: true script: # Report results to json file - - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true + - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true # Report results as table - - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY} + - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY} cache: paths: - .trivycache/ diff --git a/config-checks.yaml b/config-checks.yaml index da1ef20..bfbfe19 100644 --- a/config-checks.yaml +++ b/config-checks.yaml @@ -18,15 +18,16 @@ config_scanning: # Is like that for backward-compatibility, previously we only had DIRECTORY. FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json" EXIT_CODE_ON_FINDINGS: 1 + TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml" before_script: - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi allow_failure: true script: # Report results to json file - - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true + - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true # Report results as table - - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY} + - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY} cache: paths: - .trivycache/