From 73561b736d267aed4551fb3d7f3a1adf3507bd5a Mon Sep 17 00:00:00 2001 From: AnaisUrlichs Date: Thu, 10 Aug 2023 08:58:11 +0100 Subject: [PATCH] updates to filtering Signed-off-by: AnaisUrlichs --- docs/docs/configuration/filtering.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md index e054478a3b8d..02a1fd548146 100644 --- a/docs/docs/configuration/filtering.md +++ b/docs/docs/configuration/filtering.md @@ -319,17 +319,24 @@ You can specify a Rego file with `--ignore-policy` option. The Rego package name must be `trivy` and it must include a rule called `ignore` which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the `input` variable. -The structure of each vulnerability input is the same as for the Trivy JSON result output. - For instance, if we want to create an `--ignore-policy` option for the following container image `centos:7`, you can first create the json output of the Trivy vulnerability scan: ```bash $ trivy image -o result.json -f json centos:7 ``` +This will save the scan result in JSON format to the `result.json` file. In the output you will find an array called `Results` which lists all the discovered vulnerabilities. An example is provided below: + +```json + "CweIDs": [ + "CWE-20" + ], +``` +
-JSON Result section -```bash + +Detailed JSON Result +```json "Results": [ { "Target": "centos:7 (centos 7.9.2009)", @@ -357,9 +364,9 @@ $ trivy image -o result.json -f json centos:7 ```
-Next, you can see the JSON result output of the scan in the result.json file. In the file, you will find an array called `Result`. This will list all the Vulnerabilities and based on this information we can create the ignore policy: +Each individual vulnerability in the `Results` array is available for the ignore policy in your Rego policy: -```bash +```rego package trivy import data.lib.trivy @@ -371,7 +378,7 @@ ignore { } ``` -The policy can then be passed into the Trivy command throgh the `--ignore-policy` flag: +The policy can then be passed into the Trivy command through the `--ignore-policy` flag: ```bash $ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7 @@ -383,7 +390,7 @@ For more advanced use cases, there is a built-in Rego library with helper functi To get started, see the [example policy][policy]. -Additionally, it is possible to pass in Rego policies to misconfiguration scans. Currently, this feature is part of the `trivy fs` scans: +Additionally, it is possible to pass in Rego policies to misconfiguration scans: ``` trivy fs --security-checks config --ignore-policy ./custom-policies/ignore/basic-two.rego ./bad_iac