Ignoring stuff

[itaysk]

Converted from Discussion #3620

^{Originally posted by itaysk February 14, 2023}

There's confusion around how to ignore/filter things across Trivy (see evidence in footnotes). Filtering functionality has been incrementally accumulated aver time across different areas in Trivy. The docs needs to clearly cover what is possible and how to choose the right mechanism. In addition, we need to work to make filtering/ignoring consistent across the different areas in Trivy. This issue is for deciding on the mechanism and terminology, and also to track the work to complete it, as well as related other issues.

Proposal

The words we used around "policy", and "ignore" were ambiguous. I propose the following (for now just for this doc, in the future maybe more)

1. check: some issue that Trivy misconfiguration engine can find. e.g privileged container check
2. policy: some business logic to control how Trivy does something. e.g pull image policy
3. skip: tell Trivy to not try to scan something. e.g don't scan the test directory in my project
4. ignore: tell Trivy to not report something that was detected. e.g I know about this issue so don't report it to me anymore

Skipping (inputs)

Skipping is supported on the following:

1. skipping scanned files:
   1. using --skip-files flags
   2. using --skip-dirflags
   3. update: trivy now support skipping by glob pattern so maybe we don't need two flags?
2. skipping checks:
   1. using a special rego file that contains conftest-inspired exception policy (loaded via --policy)
      1. TODO: Rename exceptions rule to skip to align with new terminology
   2. In license scanning, using --ignored-licensed

Ignoring (outputs)

Ignoring is supported on the following:

1. Ignoring results:
   1. --ignorefile/~/.trivyignore: ignore by check ID
2. --ignore-policy: rego policy on results
3. --ignore-unfixed
4. //tfsec:ignore inline declaration. TODO: turn into //trivy:ignore Support Inline Filtering #2961

related issues:

• trivy should document all of the Vulnerability Filtering options, including inline comments #4023
• --ignore-policy unavailable in config target #3490
• Improve documentation of ignore-policy #3486
• Ho do I ignore a specific vulnerability by ID only in a particular file. #3572
• Support Inline Filtering #2961
• In-line issue suppression within Infrastructure as Code material #3900

[github-actions]

This issue is stale because it has been labeled with inactivity.

[github-actions]

This issue is stale because it has been labeled with inactivity.