Replies: 7 comments 1 reply
-
Agreed, this would be very useful |
Beta Was this translation helpful? Give feedback.
-
@rethab @davidteal thanks for your interest!
also you can use different
don't these options cover your cases? thanks |
Beta Was this translation helpful? Give feedback.
-
Hi @afdesk thanks for your comment. This certainly helps! :) However I still think flagging ignored vulnerabilities that aren't present anymore would be very helpful just to keep this file clean. |
Beta Was this translation helpful? Give feedback.
-
Yep, we have the same issue/problem 😅 would be nice flagging ignored vulnerabilities that aren't present anymore. To have a clean ignore list. |
Beta Was this translation helpful? Give feedback.
-
Hmm from a user perspective, I would actually prefer the first option that a scan would just report the vulnerability IDs (maybe with the AVD) that are present in the .ignore file but are not detected in the scan anymore
Otherwise, it seems like a task that is manual and separate from the routine scan |
Beta Was this translation helpful? Give feedback.
-
Is there any progress in this idea in the future? 😅 |
Beta Was this translation helpful? Give feedback.
-
I do like the expiration date! And will use it. In addition from a CI perspective I would like to force an up to date .trivyignore file. So I would like something like:
The output should list what should be removed from .trivyignore. |
Beta Was this translation helpful? Give feedback.
-
The
.trivyignore
file gets bigger and bigger as new vulnerabilities are added. From what I understand, the best way to know when a line could be removed is to run the scan again and see if it shows up again.It would be nice if trivy provided better support for this. This could be done either by:
This would greatly help with maintaining the
.trivyignore
file.If you accept this request, I'm happy to give it a try. Personally, I'd prefer option 2, although both options could be implemented.
Beta Was this translation helpful? Give feedback.
All reactions