Merge pull request #1546 from NASA-AMMOS/ops/trivyignore-false-positives

Add trivyignore file to ignore false positive CVEs in security scan
NASA-AMMOS · Sep 5, 2024 · 647c66d · 647c66d
2 parents fd167b1 + ec160c3
commit 647c66d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/.github/config/.trivyignore b/.github/config/.trivyignore
@@ -0,0 +1,11 @@
+# List of CVEs to ignore in our security scans in Publish workflow
+# see https://aquasecurity.github.io/trivy/v0.53/docs/configuration/filtering/#trivyignore
+
+# These were determined to be false positives caused by the `gosu` library
+# which is installed by the postgres docker container and does not use the entirety of the Go stdlib
+# for details see:
+# - https://github.com/tianon/gosu/blob/master/SECURITY.md
+# - https://github.com/NASA-AMMOS/aerie/pull/1546
+CVE-2023-24538
+CVE-2023-24540
+CVE-2024-24790
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -147,8 +147,10 @@ jobs:
       fail-fast: false
     name: scan ${{ matrix.image }}
     steps:
+      - uses: actions/checkout@v4
+
       - name: Scan ${{ matrix.image }} for vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop
           ignore-unfixed: true
@@ -158,6 +160,7 @@ jobs:
           template: "@/contrib/html.tpl"
           scanners: "vuln"
           output: "${{ matrix.image }}-results.html"
+          trivyignores: .github/config/.trivyignore
 
       - name: Upload ${{ matrix.image }} scan results
         if: always()