Skip to content

Commit

Permalink
add trivyignore file to ignore false positive CVEs in security scan
Browse files Browse the repository at this point in the history
  • Loading branch information
dandelany committed Sep 4, 2024
1 parent 9d2cd88 commit 9ddaf4f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
11 changes: 11 additions & 0 deletions .github/config/.trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# List of CVEs to ignore in our security scans in Publish workflow
# see https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignore

# These were determined to be false positives caused by the `gosu` library
# which is installed by the postgres docker container and does not use the entirety of the Go stdlib
# for details see:
# - https://github.com/tianon/gosu/blob/master/SECURITY.md
# - https://github.com/NASA-AMMOS/aerie/pull/1546
CVE-2023-24538
CVE-2023-24540
CVE-2024-24790
1 change: 1 addition & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ jobs:
template: "@/contrib/html.tpl"
scanners: "vuln"
output: "${{ matrix.image }}-results.html"
trivyignores: "../.trivyignore"

- name: Upload ${{ matrix.image }} scan results
if: always()
Expand Down

0 comments on commit 9ddaf4f

Please sign in to comment.