.trivyignore file is ignored

[vweinberger-bhs]

I'm using aquasecurity/[email protected] in my GitHub Actions workflow. I want to use a .trivyignore.yml to specify the files which should be ignored.

.trivyignore.yml:

misconfigurations:
  - id: AVD-KSV-0109
    paths:
      - "kubernetes/*/grafana/datasources.yml"

Locally the misconfiguration is ignored, everything works as expected when I am executing:

trivy config . --ignorefile ./.trivyignore.yml

In my GitHub Actions workflow, I set trivyignores: './.trivyignore.yml' for the aquasecurity/trivy-action call in the with block.
The file ./.trivyignore.yml is found, this is the output of the workflow:

Run aquasecurity/[email protected]
  with:
    scan-type: config
    hide-progress: false
    format: table
    exit-code: [1](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:1)
    ignore-unfixed: true
    severity: CRITICAL,HIGH
    token-setup-trivy: ***
    trivyignores: ./.trivyignore.yml
    scan-ref: .
    vuln-type: os,library
    cache-dir: /home/runner/_work/prometheus-prod/prometheus-prod/.cache/trivy
    list-all-pkgs: false
    version: v0.57.1
    cache: true
    skip-setup-trivy: false
Run aquasecurity/setup-trivy@v0.[2](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:2).2
  with:
    version: v0.57.1
    cache: true
    token: ***
    path: $HOME/.local/bin
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~[3](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:3)6 MB (37617819 B)
/usr/bin/tar -xf /home/runner/_work/_temp/a21d65b6-deab-[4](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:4)928-9432-0e6519eb5654/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.[5](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:5)7.1-Linux-X64
Run echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~0 MB (179237 B)
/usr/bin/tar -xf /home/runner/_work/_temp/cf0ef589-84b1-474[6](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:6)-a253-aa223c060c[7](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:7)e/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2024-11-26
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Found ignorefile './.trivyignore.yml':
misconfigurations:
  - id: AVD-KSV-010[9](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:9)
    paths:
      - "kubernetes/development/grafana/datasources.yml"
      - "kubernetes/production/grafana/datasources.yml"
Running Trivy with options: trivy config .

As you can see in the last line, trivy itself is not executed with "--ignorefile" like locally. Maybe this is the problem?

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

2024-11-26T13:47:50Z	INFO	Detected config files	num=11

kubernetes/development/grafana/datasources.yml (kubernetes)
===========================================================
Tests: 9 (SUCCESSES: 8, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'grafana-datasources' in 'default' namespace stores secrets in key(s) or value(s) '{"#     clientSecret"}'
════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
────────────────────────────────────────

Please investigate this issue.

[claudioma82]

I found the problem: the script entrypoint.sh doesn't support files with yaml extension like trivyignore.yaml.

The line 13: ignorefile="./trivyignores" creates the trivyignore in text format, and the following lines of the script basically read the INPUT_TRIVYIGNORES list and write in the ignore file created at line 13.

If the files in the INPUT_TRIVYIGNORES are in text format everything works, but if the files are in .yaml, trivy doesn't understand the yaml format because the ignorefile (created at line 13) doesn't have the .yaml extension.

As a workaround (like I did) you can write your .trivyignore.yml as text file and call it .trivyignore

[vweinberger-bhs]

Thank you for your investigation.

I can confirm that the usage of a .trivyignore text file works. But it is not a real workaround because with .trivyignore.yml you can do much more than with .trivyignore. For example configure a file path, for which a specific misconfiguration should be ignored. By using .trivyignore, you can just ignore the misconfiguration for all files.

Will .trivyignore.yml/yaml be supported in the future?

[vweinberger-bhs]

👍 This issue can be closed.

[nikpivkin]

@simar7 The ignorefile argument accepts multiple files and then merges them into one, since trivy only accepts one ignorefile. For yaml support we would need to use a tool like yq to merge multiple files into one or add a new argument. WDYT?

[simar7]

The ignorefile argument accepts multiple files and then merges them into one,

@nikpivkin if this is the case, then we shouldn't do this as it diverges from Trivy CLI behavior. Was this intentional?