-
QuestionI want to use the ignore_policy option to ignore particular cve's. Having read the docs and looked at the examples, (I note the link to the helper file is broken and module.go it references appears to be missing), its not clear to me whether you can simply have a rego file with an option something like this - package trivy import data.lib.trivy default ignore = false ignore_vulnerabilities := {"CVE-1234-5678", "CVE-5678-1234","CVE-2345-6789"} I want to do this using rego rather than the .trivyignore file as I am planning on add this file as an artifact to an image. Then I want to see if i can work with our cloud vendor to use the rego policy when doing an image scan to ignore those cve's. Can someone confirm if ignoring the cve (which seems to be the most simplest form of being able to ignore a vulnerability beyond all the cvss stuff it does support, does indeed work ?? Andy TargetContainer Image ScannerVulnerability Output FormatNone ModeStandalone Operating SystemLinux - various Version0.48.2 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 8 replies
-
|
Hi @akcrisp ! Have you looked at the latest version of the documentation? https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/#by-rego |
Beta Was this translation helpful? Give feedback.
-
|
ah thanks for that - no i had missed it - so on that basis i can do ignore input.VulnerabilityID[_] == 'CVE-2015-5186' Will give it ago. |
Beta Was this translation helpful? Give feedback.
-
|
The second option, so OR is presented through multiple rules with the same head. This will help you understand how rules work in Rego. |
Beta Was this translation helpful? Give feedback.
-
|
Actually @nikpivkin I figured out how to do a list in opa (crash dive in opa rules writing :-) ) - put this here in case anyone else finds it useful. package trivy import data.lib.trivy default ignore = false cve_list := ["cve-xxxx-yyyy", "cve-xxxx-yyyy", "cve-xxxx-yyyy"] ignore { |
Beta Was this translation helpful? Give feedback.
-
|
@akcrisp Or you can use the Rego v1 syntax. package trivy
import rego.v1
cve_list := {"cve-xxxx-yyyy", "cve-xxxx-yyyy", "cve-xxxx-yyyy"}
default ignore := false
ignore if input.VulberabilityID in cve_list |
Beta Was this translation helpful? Give feedback.
-
|
@nikpivkin is there any advantage of using the rego v1 syntax ? is that the future syntax ?? |
Beta Was this translation helpful? Give feedback.
-
|
You can find answers in the documentation https://www.openpolicyagent.org/docs/latest/opa-1/ |
Beta Was this translation helpful? Give feedback.
Hi @akcrisp !
Have you looked at the latest version of the documentation? https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/#by-rego