Feat/trivyignore (#211)

* feat(trivy): Add autoremove ignored CVEs
canonical · Nov 27, 2023 · d650bed · d650bed
1 parent 2c57e4d
commit d650bed
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/workflows/build_rocks.yaml b/.github/workflows/build_rocks.yaml
@@ -89,6 +89,8 @@ jobs:
         path: ${{ fromJSON(needs.get-rocks.outputs.rock-paths) }}
     steps:
       - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
       - name: Extract rock information
         run: |
           IMAGE_NAME=$(yq '.name' "${{ matrix.path }}/rockcraft.yaml")
@@ -224,3 +226,23 @@ jobs:
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check trivyignore
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.0
+          if [ -f ".trivyignore" ]
+          then
+            output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found")
+            line=0
+            while read CVE;
+            do
+              line=$(( line + 1 ))
+              if [[ "$output" != *"$CVE"* ]] && [[ ! "$CVE" =~ ^#.* ]]
+              then
+              echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed."
+              fi
+            done < .trivyignore
+          fi
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          ROCK_IMAGE: ${{ env.IMAGE_REF }}