-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge config files hierarchically and add support for config profiles #2009
Comments
Hi @henrysachs it sounds like you'd only want to merge ignored vulnerabilities, is that correct? Or are there other parts of the config you'd expect to merge? |
@willmurphyscode for my Part merging ignores would be sufficient |
Hey @henrysachs - we discussed this during the latest live stream (at the start). A few options were discussed. One suggestion raised was VEX support in Grype - which already exists. Have you considered using this existing functionality to ignore vulnerabilities you're not interested in getting notified about? You can pass multiple VEX documents to Grype, so you can point to a number of separate documents which may exist in different folders in your hierarchy. |
Hey @popey, I can't watch the livestream currently (but nice one exists!). I know about vex and really like it, but unfortunately in my current context I don't know about the exact location of the vex documents because there is no standard about the path to a vex document. But as there is one for Grype I want my users to be able to set a grype config but have a global one too. That's why I would love a "real" merge and not just one for vulnerabilities. It would be even cooler if there was some kind of precedence like the config in the home directory is "winning" over the one in the repository. Hope I could explain myself a bit further and If pointed correctly I would be happy to help out. PS: I would love to have the same for syft! |
👋 We will discuss this topic at our next Open Source Gardening Live Stream later today. Anyone interested in the topic is welcome to join. All the details are in this thread 🎉 |
We discussed this (a couple times now) and there are still some outstanding questions about exactly what the behavior should be, but to tie some of the discussion together, I've implemented a PR here with one approach that would accomplish, I think, what @henrysachs is asking for (we discussed this on the live stream, and it sounded as though this approach would work): anchore/fangs#51 |
Hey @henrysachs -- if you happen to be itching to try this out, I would love to know that it works for you! #2194 |
What would you like to be added:
When a Grype config is found in the repository and in the home directory I would like them to be merged
Why is this needed:
I would like to exclude findings on a "global" basis via the file in my home directory and the local ones via the file in the repository
Additional context:
I created a .grype.yaml and one in the .grype/config.yaml location and only the excludes of the first one were respected.
The text was updated successfully, but these errors were encountered: