Skip to content

Commit 709fdb0

Browse files
wojcik91wojcik91
authored
update trivy config (#247)
* update nix flake * add trivyignore config * use ignore config in CI pipelines * update cargo deny config
1 parent 83a5ca3 commit 709fdb0

7 files changed

Lines changed: 45 additions & 19 deletions

File tree

.github/workflows/build-docker.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,9 @@ jobs:
7575

7676
- name: Scan image with Trivy
7777
uses: aquasecurity/trivy-action@0.33.1
78+
env:
79+
TRIVY_SHOW_SUPPRESSED: 1
80+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
7881
with:
7982
image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
8083
format: "table"

.github/workflows/ci.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,12 @@ jobs:
3535

3636
- name: Scan code with Trivy
3737
uses: aquasecurity/trivy-action@0.33.1
38+
env:
39+
TRIVY_SHOW_SUPPRESSED: 1
40+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
3841
with:
39-
scan-type: 'fs'
40-
scan-ref: '.'
42+
scan-type: "fs"
43+
scan-ref: "."
4144
exit-code: "1"
4245
ignore-unfixed: true
4346
severity: "CRITICAL,HIGH,MEDIUM"

.github/workflows/sbom.yml

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -34,40 +34,52 @@ jobs:
3434

3535
- name: Create SBOM with Trivy
3636
uses: aquasecurity/trivy-action@0.33.1
37+
env:
38+
TRIVY_SHOW_SUPPRESSED: 1
39+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
3740
with:
38-
scan-type: 'fs'
39-
format: 'spdx-json'
41+
scan-type: "fs"
42+
format: "spdx-json"
4043
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json"
41-
scan-ref: '.'
44+
scan-ref: "."
4245
severity: "CRITICAL,HIGH,MEDIUM,LOW"
4346
scanners: "vuln"
4447

4548
- name: Create docker image SBOM with Trivy
4649
uses: aquasecurity/trivy-action@0.33.1
50+
env:
51+
TRIVY_SHOW_SUPPRESSED: 1
52+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
4753
with:
4854
image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
49-
scan-type: 'image'
50-
format: 'spdx-json'
55+
scan-type: "image"
56+
format: "spdx-json"
5157
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json"
5258
severity: "CRITICAL,HIGH,MEDIUM,LOW"
5359
scanners: "vuln"
5460

5561
- name: Create security advisory file with Trivy
5662
uses: aquasecurity/trivy-action@0.33.1
63+
env:
64+
TRIVY_SHOW_SUPPRESSED: 1
65+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
5766
with:
58-
scan-type: 'fs'
59-
format: 'json'
67+
scan-type: "fs"
68+
format: "json"
6069
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json"
61-
scan-ref: '.'
70+
scan-ref: "."
6271
severity: "CRITICAL,HIGH,MEDIUM,LOW"
6372
scanners: "vuln"
6473

6574
- name: Create docker image security advisory file with Trivy
6675
uses: aquasecurity/trivy-action@0.33.1
76+
env:
77+
TRIVY_SHOW_SUPPRESSED: 1
78+
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
6779
with:
6880
image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
69-
scan-type: 'image'
70-
format: 'json'
81+
scan-type: "image"
82+
format: "json"
7183
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json"
7284
severity: "CRITICAL,HIGH,MEDIUM,LOW"
7385
scanners: "vuln"

.trivyignore.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
vulnerabilities:
2+
- id: GHSA-585q-cm62-757j
3+
expired_at: 2026-02-12
4+
statement: "No fixed version available yet. The Mullvad team intends to fix it in the coming weeks: https://github.com/mullvad/mnl-rs/issues/15"

deny.toml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,10 @@ feature-depth = 1
6969
#db-urls = ["https://github.com/rustsec/advisory-db"]
7070
# A list of advisory IDs to ignore. Note that ignored advisories will still
7171
# output a note when they are encountered.
72-
ignore = [{ id = "RUSTSEC-2024-0436", reason = "Unmaintained" }]
72+
ignore = [
73+
{ id = "RUSTSEC-2024-0436", reason = "Unmaintained" },
74+
{ id = "RUSTSEC-2025-0142", reason = "Awaiting upstream patch" },
75+
]
7376
# If this is true, then cargo deny will use the git executable to fetch advisory database.
7477
# If this is false, then it uses a built-in git library.
7578
# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.

flake.lock

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
rustToolchain
3838
libnftnl
3939
libmnl
40+
trivy
4041
];
4142
};
4243
});

0 commit comments

Comments
 (0)