[cli] a way to add trivy client arguments to vulnerability scans (global or per K8s workload)

[rurus9]

As I wrote in #337 a way to add specific trivy client arguments will be very useful for us.

With trivy client I can add do not show unfixed (https://github.com/aquasecurity/trivy#ignore-unfixed-vulnerabilities):
--ignore-unfixed # display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]

another thing important to me is to avoid some false positive checks with Ruby (https://github.com/aquasecurity/trivy#skip-traversal-of-the-specific-files):
--skip-files "/Gemfile.lock,/app/Pipfile.lock"

or ignore specific vulnerabilities (https://github.com/aquasecurity/trivy#ignore-the-specified-vulnerabilities):
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]

@danielpacak wrote an answer

However, it should be relatively easy to add other flags that you mentioned to the ConfigMap used by Starboard.

Ideally there should be options to set it to specific K8s workload (eg I know that I have false positive with my fluentd deployment, so I can ingore specific CVE only for this deployment).

The ability to set it globally by starboard ConfigMap also comes into play.

[danielpacak]

I believe we have the answer in #337 and follow up in #541

[rurus9]

thanks, i will follow the topic