Support trivy allow lists per image

Author: assumptionsandg

.github/workflows/stackhpc-container-image-build.yml

@@ -145,6 +145,10 @@ jobs:
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
 
+      - name: Install yq
+        run: |
+          wget https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz -O - | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq
+
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&

etc/kayobe/trivy.yml

@@ -0,0 +1,15 @@
+---
+###############################################################################
+# Trivy allowed vulnerabilities list
+
+# Example allowed vulnerabilities file setup
+#
+# keystone_allowed_vulnerabilities:
+#   CVE-2022-2447
+#
+# horizon_allowed_vulnerabilities:
+#   CVE-2022-45582
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes

tools/scan-images.sh

@@ -33,6 +33,10 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
 # If there are vulnerabilities detected, add it to dirty-images.txt and
 # generate a csv summary
 for image in $images; do
+  rm .trivyignore && touch .trivyignore
+  for vulnerability in $(yq ${image}_allowed_vulnerabilities $KAYOBE_CONFIG_PATH/trivy.yml); do
+    echo $vulnerability >> .trivyignore;
+  done
   filename=$(basename $image | sed 's/:/\./g')
   if $(trivy image \
           --quiet \