Add option to ignore CVEs found by Trivy (#1300)

Author: majanjua-amzn

.github/actions/image_scan/action.yml

@@ -11,6 +11,10 @@ inputs:
   severity:
     required: true
     description: "List of severities that will cause a failure"
+  trivyignore-file:
+    required: false
+    default: ''
+    description: "Path to the .trivyignore.yaml file to use for this scan"
   logout:
     required: true
     description: |
@@ -36,4 +40,6 @@ runs:
       with:
         image-ref: ${{ inputs.image-ref }}
         severity: ${{ inputs.severity }}
-        exit-code: '1'
+        exit-code: '1'
+      env:
+        TRIVY_IGNOREFILE: ${{ inputs.trivyignore-file }}

.github/trivy/daily-scan.trivyignore.yaml

@@ -0,0 +1,13 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Trivy ignore file for daily scans.
+# This file is intentionally empty. Daily scans should flag all CVEs.
+# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+
+# Format:
+#  - id: <CVE-###>
+#    statement: "<Why are we excluding?> <link to CVE where we can we status>"
+#    expired_at: <required - YYYY-MM-DD>
+
+vulnerabilities: []

.github/trivy/pr-build.trivyignore.yaml

@@ -0,0 +1,11 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+
+# Format:
+#  - id: <CVE-###>
+#    statement: "<Why are we excluding?> <link to CVE where we can we status>"
+#    expired_at: <required - YYYY-MM-DD>
+
+vulnerabilities: []

.github/workflows/daily-scan.yml

@@ -95,6 +95,7 @@ jobs:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
           severity: 'CRITICAL,HIGH'
           logout: 'false'
+          trivyignore-file: .github/trivy/daily-scan.trivyignore.yaml
 
       - name: Perform low image scan on v1
         if: always()
@@ -104,6 +105,7 @@ jobs:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
           severity: 'MEDIUM,LOW,UNKNOWN'
           logout: 'false'
+          trivyignore-file: .github/trivy/daily-scan.trivyignore.yaml
 
       - name: Perform high image scan on v2
         if: always()
@@ -113,6 +115,7 @@ jobs:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.20.0"
           severity: 'CRITICAL,HIGH'
           logout: 'false'
+          trivyignore-file: .github/trivy/daily-scan.trivyignore.yaml
 
       - name: Perform low image scan on v2
         if: always()
@@ -122,6 +125,7 @@ jobs:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.20.0"
           severity: 'MEDIUM,LOW,UNKNOWN'
           logout: 'false'
+          trivyignore-file: .github/trivy/daily-scan.trivyignore.yaml
 
       - name: Configure AWS Credentials for emitting metrics
         if: always()

.github/workflows/pr-build.yml

@@ -236,6 +236,7 @@ jobs:
           image-ref: ${{ env.TEST_TAG }}
           severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
           logout: 'true'
+          trivyignore-file: .github/trivy/pr-build.trivyignore.yaml
 
       - name: Test docker image
         if: ${{ matrix.os == 'ubuntu-latest' }}