Skip to content

Support allowed vulnerabilities in Trivy #989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 27, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/stackhpc-container-image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,10 @@ jobs:
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0

- name: Install yq
run: |
curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq

- name: Install Kayobe
run: |
mkdir -p venvs &&
Expand Down
18 changes: 18 additions & 0 deletions etc/kayobe/trivy/allowed-vulnerabilities.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
###############################################################################
# Trivy allowed vulnerabilities list

# Example allowed vulnerabilities file setup
#
# keystone_allowed_vulnerabilities:
# - CVE-2022-2447
#
# barbican_api_allowed_vulnerabilities:
# - CVE-2023-31047

global_allowed_vulnerabilities:
- CVE-2024-36039

###############################################################################
# Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes
11 changes: 11 additions & 0 deletions tools/scan-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,16 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
# generate a csv summary
for image in $images; do
filename=$(basename $image | sed 's/:/\./g')
imagename=$(echo $filename | cut -d "." -f 1 | sed 's/-/_/g')
global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
touch .trivyignore
for vulnerability in $global_vulnerabilities; do
echo $vulnerability >> .trivyignore
done
for vulnerability in $image_vulnerabilities; do
echo $vulnerability >> .trivyignore
done
if $(trivy image \
--quiet \
--exit-code 1 \
Expand Down Expand Up @@ -76,4 +86,5 @@ for image in $images; do
| .[]
| @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv
fi
rm .trivyignore
done