Changes to the handling of missing Trivy ignore file is a breaking change

[hctagalong]

Description

We needed to update the version of the Trivy action we use in our GitHub workflows from 0.28.0 to 0.33.1 to address a rego parsing error that suddenly appeared. That lead me to issue #7093 where handling of a missing trivy ignore file was reported as a bug. The prior behavior appears to have been changed per PR #7962.

The prior behavior of silently ignoring the missing file wasn't a bug for how we use the ignore feature. For our IaC scanning workflows, we use a common/centrally located Trivy config file pulled from a common repo via a reusable workflow. Within that common config file, it specifies ignore file: ./.github/.trivyignore.yaml. Not every repo has findings to ignore; in those repos, there is no .trivyignore.yaml present and the prior behavior worked as expected -- silently ignored the not present .trivyignore,.yaml. For repos with findings that are approved to be ignored, those have a .trivyignore.yaml file in the location specified. For those repos, the ignorefile is present and works as expected.

Desired Behavior

The scan ought not fail when an ignorefile is specified but not present. While I understand that we could add an empty ignore file to every repo that currently does not have one, this is not desirable for a few reasons:

1. This is a lot of busywork to add an empty file to a bunch of repos.
2. The presence of the file, for our use case, is an indicator that there are findings being ignored. By adding empty files to all of our repos, now one needs to look into the file to determine if there are actual ignores or not.
3. There isn't much of a difference between a missing file and an empty file for our use case.

Perhaps a compromise would be to produce an INFO level message when an ignorefile is specified but not found rather than fail the scan.

Actual Behavior

Scan fails when an ignorefile is specified in the configuration but not present.

Reproduction Steps

Run a trivy scan; specify an ignorefile within the Trivy config and ensure that the ignorefile is not present at the specified location. This will yield a fatal error.

Target

Filesystem

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Debug Output

N/A

Operating System

Linux

Version

Trivy GitHub action version 0.33.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

Perhaps a compromise would be to produce an INFO level message when an ignorefile is specified but not found rather than fail the scan.

hi @hctagalong - I'm curious how you're running into a failed scan since #7962 addressed this by adding exactly this. It should also be part of the latest release of the trivy action.

[hctagalong]

Here's the output from a quick test from my laptop where the referenced config file has this specified: ignorefile: .github/.trivyignore.yml

Successful run / config references an empty ignorefile

Command
trivy fs . --config ./common_config/trivy-terraform.yml

Output

2025-09-16T16:15:31-05:00	INFO	Loaded	file_path="./common_config/trivy-terraform.yml"
2025-09-16T16:15:31-05:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-16T16:15:35-05:00	INFO	[secret] Secret scanning is enabled
2025-09-16T16:15:35-05:00	INFO	[secret] If your scanning is slow, please try '--scanners misconfig' to disable secret scanning
2025-09-16T16:15:35-05:00	INFO	[secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-16T16:15:35-05:00	INFO	Detected config files	num=0

Fatal error when trivy ignorefile is removed

Note

This matches my use case for the majority of our repos; the config file references an ignorefile however the ignorefile does not exist

Command
trivy fs . --config ./common_config/trivy-terraform.yml

Output

2025-09-16T16:16:01-05:00	INFO	Loaded	file_path="./common_config/trivy-terraform.yml"
2025-09-16T16:16:01-05:00	FATAL	Fatal error	flag error: unable to convert flags to options: ignore file not found: .github/.trivyignore.yml

In this case, the scan is immediately failed because the ignore file is not found. Ideally, the scan continues / is unaffected and perhaps just outputs an INFO message about the ignorefile not being found.

Trivy version info

Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-15 12:38:02.324125518 +0000 UTC
  NextUpdate: 2025-09-16 12:38:02.324125378 +0000 UTC
  DownloadedAt: 2025-09-15 14:17:39.002654 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-16 20:57:04.411282 +0000 UTC

[hctagalong]

For what it's worth, it appears that the 0.33.1 version of the GitHub Trivy action is running Trivy v0.65.0.

And thank you for looking into this.

[hctagalong]

Wondering if this was only a problem when running with a referenced config.yaml file I ran another test where I'm not passing in a config file: trivy config --ignorefile ./.github/.trivyignore.yml .

This yields the same behavior as I have reported above. If the .trivyignore.yml exists, the scan runs as expected. When the .trivyignore.yml file is missing, results in the same fatal error I reported.