Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.trivyignore file is ignored #436

Open
vweinberger-bhs opened this issue Nov 26, 2024 · 6 comments
Open

.trivyignore file is ignored #436

vweinberger-bhs opened this issue Nov 26, 2024 · 6 comments

Comments

@vweinberger-bhs
Copy link

vweinberger-bhs commented Nov 26, 2024

I'm using aquasecurity/trivy-action@0.29.0 in my GitHub Actions workflow. I want to use a .trivyignore.yml to specify the files which should be ignored.

.trivyignore.yml:

misconfigurations:
  - id: AVD-KSV-0109
    paths:
      - "kubernetes/*/grafana/datasources.yml"

Locally the misconfiguration is ignored, everything works as expected when I am executing:

trivy config . --ignorefile ./.trivyignore.yml

In my GitHub Actions workflow, I set trivyignores: './.trivyignore.yml' for the aquasecurity/trivy-action call in the with block.
The file ./.trivyignore.yml is found, this is the output of the workflow:

Run aquasecurity/trivy-action@0.29.0
  with:
    scan-type: config
    hide-progress: false
    format: table
    exit-code: [1](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:1)
    ignore-unfixed: true
    severity: CRITICAL,HIGH
    token-setup-trivy: ***
    trivyignores: ./.trivyignore.yml
    scan-ref: .
    vuln-type: os,library
    cache-dir: /home/runner/_work/prometheus-prod/prometheus-prod/.cache/trivy
    list-all-pkgs: false
    version: v0.57.1
    cache: true
    skip-setup-trivy: false
Run aquasecurity/setup-trivy@v0.[2](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:2).2
  with:
    version: v0.57.1
    cache: true
    token: ***
    path: $HOME/.local/bin
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~[3](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:3)6 MB (37617819 B)
/usr/bin/tar -xf /home/runner/_work/_temp/a21d65b6-deab-[4](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:4)928-9432-0e6519eb5654/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.[5](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:5)7.1-Linux-X64
Run echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~0 MB (179237 B)
/usr/bin/tar -xf /home/runner/_work/_temp/cf0ef589-84b1-474[6](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:6)-a253-aa223c060c[7](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:7)e/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2024-11-26
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Found ignorefile './.trivyignore.yml':
misconfigurations:
  - id: AVD-KSV-010[9](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:9)
    paths:
      - "kubernetes/development/grafana/datasources.yml"
      - "kubernetes/production/grafana/datasources.yml"
Running Trivy with options: trivy config .

As you can see in the last line, trivy itself is not executed with "--ignorefile" like locally. Maybe this is the problem?

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

2024-11-26T13:47:50Z	INFO	Detected config files	num=11

kubernetes/development/grafana/datasources.yml (kubernetes)
===========================================================
Tests: 9 (SUCCESSES: 8, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'grafana-datasources' in 'default' namespace stores secrets in key(s) or value(s) '{"#     clientSecret"}'
════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
────────────────────────────────────────

Please investigate this issue.

@claudioma82
Copy link

claudioma82 commented Nov 28, 2024

I found the problem: the script entrypoint.sh doesn't support files with yaml extension like trivyignore.yaml.

The line 13: ignorefile="./trivyignores" creates the trivyignore in text format, and the following lines of the script basically read the INPUT_TRIVYIGNORES list and write in the ignore file created at line 13.

If the files in the INPUT_TRIVYIGNORES are in text format everything works, but if the files are in .yaml, trivy doesn't understand the yaml format because the ignorefile (created at line 13) doesn't have the .yaml extension.

As a workaround (like I did) you can write your .trivyignore.yml as text file and call it .trivyignore

@vweinberger-bhs
Copy link
Author

vweinberger-bhs commented Nov 28, 2024

Thank you for your investigation.

I can confirm that the usage of a .trivyignore text file works. But it is not a real workaround because with .trivyignore.yml you can do much more than with .trivyignore. For example configure a file path, for which a specific misconfiguration should be ignored. By using .trivyignore, you can just ignore the misconfiguration for all files.

Will .trivyignore.yml/yaml be supported in the future?

@vweinberger-bhs
Copy link
Author

👍 This issue can be closed.

@nikpivkin
Copy link
Contributor

@simar7 The ignorefile argument accepts multiple files and then merges them into one, since trivy only accepts one ignorefile. For yaml support we would need to use a tool like yq to merge multiple files into one or add a new argument. WDYT?

@simar7
Copy link
Member

simar7 commented Nov 29, 2024

The ignorefile argument accepts multiple files and then merges them into one,

@nikpivkin if this is the case, then we shouldn't do this as it diverges from Trivy CLI behavior. Was this intentional?

@nikpivkin
Copy link
Contributor

I don't know, it was implemented a long time ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants