From ec160c35f66003d8cc3dea9f0c3452d367cd0da9 Mon Sep 17 00:00:00 2001 From: dandelany Date: Thu, 5 Sep 2024 10:39:41 -0700 Subject: [PATCH] add .trivyignore file to ignore false positive CVEs --- .github/config/.trivyignore | 11 +++++++++++ .github/workflows/publish.yml | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 .github/config/.trivyignore diff --git a/.github/config/.trivyignore b/.github/config/.trivyignore new file mode 100644 index 0000000000..51a3d9ea40 --- /dev/null +++ b/.github/config/.trivyignore @@ -0,0 +1,11 @@ +# List of CVEs to ignore in our security scans in Publish workflow +# see https://aquasecurity.github.io/trivy/v0.53/docs/configuration/filtering/#trivyignore + +# These were determined to be false positives caused by the `gosu` library +# which is installed by the postgres docker container and does not use the entirety of the Go stdlib +# for details see: +# - https://github.com/tianon/gosu/blob/master/SECURITY.md +# - https://github.com/NASA-AMMOS/aerie/pull/1546 +CVE-2023-24538 +CVE-2023-24540 +CVE-2024-24790 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7a7a2d47a8..7e738ee1be 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -147,8 +147,10 @@ jobs: fail-fast: false name: scan ${{ matrix.image }} steps: + - uses: actions/checkout@v4 + - name: Scan ${{ matrix.image }} for vulnerabilities - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop ignore-unfixed: true @@ -158,6 +160,7 @@ jobs: template: "@/contrib/html.tpl" scanners: "vuln" output: "${{ matrix.image }}-results.html" + trivyignores: .github/config/.trivyignore - name: Upload ${{ matrix.image }} scan results if: always()