Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivyignores not working #337

Closed
arairyus opened this issue Apr 17, 2024 · 12 comments · Fixed by #338
Closed

trivyignores not working #337

arairyus opened this issue Apr 17, 2024 · 12 comments · Fixed by #338

Comments

@arairyus
Copy link
Contributor

arairyus commented Apr 17, 2024
edited
Loading

Hi
I have a problem with trivyignores, when I run it locally, I can ignore without any problem.

config

.trivyignore

# CRITICAL
AVD-GCP-0027

workflow.yml

env.WORKING_DIRECTORY = terraform/mask

      - name: Run Trivy vulnerability scanner in config mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          scan-ref: ${{ env.WORKING_DIRECTORY }}
          trivy-config: terraform/trivy.yaml
          trivyignores: ${{ env.WORKING_DIRECTORY }}/.trivyignore
Found ignorefile 'terraform/**mask**/.trivyignore':
# CRITICAL
AVD-GCP-0027
Running Trivy with trivy.yaml config from:  terraform/trivy.yaml
2024-04-17T03:39:36.626Z	INFO	Loaded terraform/trivy.yaml
2024-04-17T03:39:36.6[29](https://github.com/aeonnext/anx1-gb-delivery/actions/runs/8715961756/job/23908684753#step:12:30)Z	INFO	Misconfiguration scanning is enabled
2024-04-17T03:39:36.629Z	INFO	Need to update the built-in policies
2024-04-17T03:39:36.629Z	INFO	Downloading the built-in policies...
46.13 KiB / 46.13 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-17T03:39:40.494Z	INFO	Detected config files: 62

.terraform/modules/***/modules/network/modules/fabric-net-firewall/main.tf (terraform)
============================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)

CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.

See https://avd.aquasec.com/misconfig/avd-gcp-0027
@arairyus
Copy link
Contributor Author

I mean that this mistake is only in the comment, right?

yes, I fixed comment.

@afdesk
Copy link

afdesk commented Apr 17, 2024

I mean that this mistake is only in the comment, right?

yes, I fixed comment.

sorry for confusion, i saw the logs:

Found ignorefile 'terraform/mask/.trivyignore':

@arairyus
Copy link
Contributor Author

local

% trivy config terraform/*mask* -c terraform/trivy.yaml --ignorefile terraform/*mask*/.trivyignore
2024-04-17T14:01:09.118+0900      INFO     Loaded terraform/trivy.yaml
2024-04-17T14:01:09.137+0900    INFO     Misconfiguration scanning is enabled
2024-04-17T14:01:13.002+0900    INFO     Detected config files: 62

@afdesk
Copy link

afdesk commented Apr 17, 2024
edited
Loading

it looks there is a problem mistake here:

trivy-action/entrypoint.sh

Lines 145 to 158 in 207cd40

if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
if [ -f "$f" ]; then
echo "Found ignorefile '${f}':"
cat "${f}"
cat "${f}" >> ./trivyignores
else
echo "ERROR: cannot find ignorefile '${f}'."
exit 1
fi
done
ARGS="$ARGS --ignorefile ./trivyignores"
fi

@arairyus
Copy link
Contributor Author

full path only?

README.md
comma-separated list of relative paths in repository to one or more .trivyignore files

@afdesk
Copy link

afdesk commented Apr 17, 2024

full path only?

README.md
comma-separated list of relative paths in repository to one or more .trivyignore files

it's a bit strange, because there are no any issues in my demo repo:

Run aquasecurity/trivy-action@master

Found ignorefile 'terraform/mask/.trivyignore':
# CRITICAL
AVD-GCP-0027Running trivy with options: trivy config  --format table --severity  UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --ignorefile ./trivyignores --quiet .
Global options:  

terraform/main.tf (terraform)
=============================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

for this repo https://github.com/afdesk/demo-trivy-action

@afdesk
Copy link

afdesk commented Apr 17, 2024

local:

$ trivy config .
2024-04-17T11:40:46.564+0600	INFO	Misconfiguration scanning is enabled
2024-04-17T11:40:47.544+0600	INFO	Detected config files: 2

terraform/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.

See https://avd.aquasec.com/misconfig/avd-gcp-0027
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform/main.tf:1-15
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "google_compute_firewall" "default" {
   2 │   name    = "test-firewall"
   3 │   network = google_compute_network.default.name
   4 │ 
   5 │   allow {
   6 │     protocol = "icmp"
   7 │   }
   8 │ 
   9 └   allow {
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

$ trivy config --ignorefile terraform/mask/.trivyignore .
2024-04-17T11:41:15.415+0600	INFO	Misconfiguration scanning is enabled
2024-04-17T11:41:16.386+0600	INFO	Detected config files: 2

terraform/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@afdesk
Copy link

afdesk commented Apr 17, 2024

@arairyus maybe your trivy.yaml contains ignorefile: .trivyignore?

@arairyus
Copy link
Contributor Author

@afdesk

my trivy.yml

timeout: 10m
format: table
dependency-tree: true
list-all-pkgs: true
exit-code: 1
severity:
  - UNKNOWN
  - LOW
  - MEDIUM
  - HIGH
  - CRITICAL
scan:
  skip-files:
    - '**/.terraform/modules/*/examples/**'
    - '**/.terraform/modules/*/codelabs/**'
    - '**/.terraform/modules/*/test/**'
    - '**/.terraform/**/*.yaml'

@arairyus
Copy link
Contributor Author

arairyus commented Apr 17, 2024
edited
Loading 

jobs:
  terraform-plan:
    name: 'Terraform Plan'
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
        working-directory: ${{ env.WORKING_DIRECTORY }}

Is it because of the working dilecotry set up?

@arairyus
Copy link
Contributor Author

I removed trivy-config and trivyignore worked!

@arairyus
Copy link
Contributor Author

If trivy-config is set, can't other options be set?

https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L187-L204

@arairyus arairyus mentioned this issue Apr 17, 2024
Merged
@afdesk afdesk mentioned this issue Apr 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: 🐛 allow trivy-config and other options to be used together arairyus/trivy-action
2 participants
@afdesk @arairyus