-
QuestionI want to use the ignore_policy option to ignore particular cve's. Having read the docs and looked at the examples, (I note the link to the helper file is broken and module.go it references appears to be missing), its not clear to me whether you can simply have a rego file with an option something like this - package trivy import data.lib.trivy default ignore = false ignore_vulnerabilities := {"CVE-1234-5678", "CVE-5678-1234","CVE-2345-6789"} I want to do this using rego rather than the .trivyignore file as I am planning on add this file as an artifact to an image. Then I want to see if i can work with our cloud vendor to use the rego policy when doing an image scan to ignore those cve's. Can someone confirm if ignoring the cve (which seems to be the most simplest form of being able to ignore a vulnerability beyond all the cvss stuff it does support, does indeed work ?? Andy TargetContainer Image ScannerVulnerability Output FormatNone ModeStandalone Operating SystemLinux - various Version0.48.2 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 8 replies
-
Hi @akcrisp ! Have you looked at the latest version of the documentation? https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/#by-rego |
Beta Was this translation helpful? Give feedback.
-
ah thanks for that - no i had missed it - so on that basis i can do ignore input.VulnerabilityID[_] == 'CVE-2015-5186' Will give it ago. |
Beta Was this translation helpful? Give feedback.
Hi @akcrisp !
Have you looked at the latest version of the documentation? https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/#by-rego