Centralised usage of .trivyignore file for composite github actions #9356
beaglemarauder
started this conversation in
Ideas
Replies: 1 comment
-
|
hi @beaglemarauder - I assume this is related to the Trivy GitHub action? If so, have you tried passing the config file in as mentioned here https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#trivy-config-file If you have, I'd like to understand what's missing from the current situation first so we can better help you. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Description
I would like the ability to use a central .trivyignore ignore file that lives in the same repository as the composite action that is passed with the action when called by a workflow in a different repository. This will help immensely with providing the ability to synchronously apply suppressions in the pipeline that would be suppressed upstream in a CNAPP tool for consistency.
There would be two ways to use it, one would be setting the relative path as the trivyignores: default input in the composite actions and providing no "with" path and the default gets passed when the composite action is called
or,
The .trivyignore would live in the reusable-github-actions repo and it called like this using a full path to the ignore file:
- name: Code Scan uses: /Org/reusable-github-actions/.github/actions/code_scanning@mainwith: Org/reusable-github-actions/.trivyignoreTarget
Git Repository
Scanner
Misconfiguration
Beta Was this translation helpful? Give feedback.
All reactions