From dfb7a8ed53584301fedb769b229c8a59c8d19009 Mon Sep 17 00:00:00 2001
From: Birkan Kolcu <birkan.kolcu@ambient.digital>
Date: Fri, 8 Mar 2024 17:41:13 +0100
Subject: [PATCH 1/3] added trivy ignore file support

---
 README.md                   |  3 +++
 config-checks.template.yaml | 15 +++++++++++----
 config-checks.yaml          | 15 +++++++++++----
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 4469137..06416e0 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,9 @@ backend:config scanning:
 ## Advanced Settings  
 The config scanning job exposes a few more variables by which you can adjust the scanning if needed. The default settings are the recommendation of the Secret Heroes, though.  
 
+### Use trivy ignore file
+Set TRIVY_IGNOREFILE_DIR to target trivyignore file as an environment variable to use ignore file. Example value: `.trivyignore.yaml`
+
 ### Change minimum severity reported
 By adding a new variable called `SEVERITY` to your job, you can change which severity items should be reported. The default is to report UNKNOWN, MEDIUM, HIGH and CRITICAL config issues. The remaining options are: `LOW`
 Trivy requires a full list of severities to report. To report all severities from LOW and higher for example, you need to specify a comma-separated list like so: `SEVERITY: "LOW,MEDIUM,HIGH,CRITICAL,UNKNOWN"`
diff --git a/config-checks.template.yaml b/config-checks.template.yaml
index ad30287..50159bf 100644
--- a/config-checks.template.yaml
+++ b/config-checks.template.yaml
@@ -20,10 +20,17 @@
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    # Report results to json file
-    - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
-    # Report results as table
-    - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
+    # TRIVY_IGNOREFILE_DIR is not set, do not use it.
+    ## # Report results to json file
+    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    ## Report results as table
+    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
+
+    # TRIVY_IGNOREFILE_DIR is set, use it.
+    ## Report results to json file
+    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    ## Report results as table
+    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
   cache:
     paths:
       - .trivycache/
diff --git a/config-checks.yaml b/config-checks.yaml
index da1ef20..08faa45 100644
--- a/config-checks.yaml
+++ b/config-checks.yaml
@@ -23,10 +23,17 @@ config_scanning:
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    # Report results to json file
-    - trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
-    # Report results as table
-    - trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
+    # TRIVY_IGNOREFILE_DIR is not set, do not use it.
+    ## # Report results to json file
+    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    ## Report results as table
+    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
+
+    # TRIVY_IGNOREFILE_DIR is set, use it.
+    ## Report results to json file
+    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    ## Report results as table
+    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
   cache:
     paths:
       - .trivycache/

From fee2a89a16919ff96ef4bb5cc1aa088e683736f5 Mon Sep 17 00:00:00 2001
From: Birkan Kolcu <birkan.kolcu@ambient.digital>
Date: Mon, 11 Mar 2024 09:38:10 +0100
Subject: [PATCH 2/3] refactor

---
 config-checks.template.yaml | 12 +++---------
 config-checks.yaml          | 12 +++---------
 2 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/config-checks.template.yaml b/config-checks.template.yaml
index 50159bf..89c2a85 100644
--- a/config-checks.template.yaml
+++ b/config-checks.template.yaml
@@ -15,22 +15,16 @@
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
     EXIT_CODE_ON_FINDINGS: 1
+    TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    # TRIVY_IGNOREFILE_DIR is not set, do not use it.
-    ## # Report results to json file
-    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
-    ## Report results as table
-    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
-
-    # TRIVY_IGNOREFILE_DIR is set, use it.
     ## Report results to json file
-    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
     ## Report results as table
-    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths:
       - .trivycache/
diff --git a/config-checks.yaml b/config-checks.yaml
index 08faa45..e8b3baf 100644
--- a/config-checks.yaml
+++ b/config-checks.yaml
@@ -18,22 +18,16 @@ config_scanning:
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
     EXIT_CODE_ON_FINDINGS: 1
+    TRIVY_IGNOREFILE_DIR: ".trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    # TRIVY_IGNOREFILE_DIR is not set, do not use it.
-    ## # Report results to json file
-    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
-    ## Report results as table
-    - if [ -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
-
-    # TRIVY_IGNOREFILE_DIR is set, use it.
     ## Report results to json file
-    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true; fi
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
     ## Report results as table
-    - if [ ! -z "${TRIVY_IGNOREFILE_DIR}" ]; then trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}; fi
+    - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths:
       - .trivycache/

From a656216e1c600bc2ad4d6fdefdf13568b7d960ae Mon Sep 17 00:00:00 2001
From: Birkan Kolcu <birkan.kolcu@ambient.digital>
Date: Mon, 11 Mar 2024 09:43:11 +0100
Subject: [PATCH 3/3] remove extra char

---
 config-checks.template.yaml | 4 ++--
 config-checks.yaml          | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config-checks.template.yaml b/config-checks.template.yaml
index 89c2a85..34f1bdf 100644
--- a/config-checks.template.yaml
+++ b/config-checks.template.yaml
@@ -21,9 +21,9 @@
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    ## Report results to json file
+    # Report results to json file
     - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
-    ## Report results as table
+    # Report results as table
     - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths:
diff --git a/config-checks.yaml b/config-checks.yaml
index e8b3baf..bfbfe19 100644
--- a/config-checks.yaml
+++ b/config-checks.yaml
@@ -24,9 +24,9 @@ config_scanning:
     - if [ ! -e ${TRIVY_CACHE_DIR}config-checks.tpl ]; then  wget --no-verbose https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-config-checks/main/config-checks.tpl -O ${TRIVY_CACHE_DIR}config-checks.tpl; fi
   allow_failure: true
   script:
-    ## Report results to json file
+    # Report results to json file
     - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code 0 --format template --template "@{TRIVY_CACHE_DIR}config-checks.tpl" -o ${FILENAME} ${DIRECTORY} >/dev/null 2>&1 || true
-    ## Report results as table
+    # Report results as table
     - trivy config --ignorefile ${TRIVY_IGNOREFILE_DIR} --exit-code ${EXIT_CODE_ON_FINDINGS} --format table ${DIRECTORY}
   cache:
     paths: