-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.trivyignore file is ignored #436
Comments
I found the problem: the script The line 13: If the files in the As a workaround (like I did) you can write your |
Thank you for your investigation. I can confirm that the usage of a .trivyignore text file works. But it is not a real workaround because with .trivyignore.yml you can do much more than with .trivyignore. For example configure a file path, for which a specific misconfiguration should be ignored. By using .trivyignore, you can just ignore the misconfiguration for all files. Will .trivyignore.yml/yaml be supported in the future? |
👍 This issue can be closed. |
@nikpivkin if this is the case, then we shouldn't do this as it diverges from Trivy CLI behavior. Was this intentional? |
I don't know, it was implemented a long time ago. |
I'm using aquasecurity/trivy-action@0.29.0 in my GitHub Actions workflow. I want to use a .trivyignore.yml to specify the files which should be ignored.
.trivyignore.yml:
Locally the misconfiguration is ignored, everything works as expected when I am executing:
In my GitHub Actions workflow, I set
trivyignores: './.trivyignore.yml'
for the aquasecurity/trivy-action call in the with block.The file ./.trivyignore.yml is found, this is the output of the workflow:
As you can see in the last line, trivy itself is not executed with "--ignorefile" like locally. Maybe this is the problem?
The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:
Please investigate this issue.
The text was updated successfully, but these errors were encountered: