.trivyignore file is ignored

[vweinberger-bhs]

I'm using aquasecurity/trivy-action@0.29.0 in my GitHub Actions workflow. I want to use a .trivyignore.yml to specify the files which should be ignored.

.trivyignore.yml:

misconfigurations:
  - id: AVD-KSV-0109
    paths:
      - "kubernetes/*/grafana/datasources.yml"

Locally the misconfiguration is ignored, everything works as expected when I am executing:

trivy config . --ignorefile ./.trivyignore.yml

In my GitHub Actions workflow, I set trivyignores: './.trivyignore.yml' for the aquasecurity/trivy-action call in the with block.
The file ./.trivyignore.yml is found, this is the output of the workflow:

Run aquasecurity/trivy-action@0.29.0
  with:
    scan-type: config
    hide-progress: false
    format: table
    exit-code: [1](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:1)
    ignore-unfixed: true
    severity: CRITICAL,HIGH
    token-setup-trivy: ***
    trivyignores: ./.trivyignore.yml
    scan-ref: .
    vuln-type: os,library
    cache-dir: /home/runner/_work/prometheus-prod/prometheus-prod/.cache/trivy
    list-all-pkgs: false
    version: v0.57.1
    cache: true
    skip-setup-trivy: false
Run aquasecurity/setup-trivy@v0.[2](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:2).2
  with:
    version: v0.57.1
    cache: true
    token: ***
    path: $HOME/.local/bin
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~[3](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:3)6 MB (37617819 B)
/usr/bin/tar -xf /home/runner/_work/_temp/a21d65b6-deab-[4](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:4)928-9432-0e6519eb5654/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.[5](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:5)7.1-Linux-X64
Run echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~0 MB (179237 B)
/usr/bin/tar -xf /home/runner/_work/_temp/cf0ef589-84b1-474[6](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:6)-a253-aa223c060c[7](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:7)e/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2024-11-26
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Found ignorefile './.trivyignore.yml':
misconfigurations:
  - id: AVD-KSV-010[9](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:9)
    paths:
      - "kubernetes/development/grafana/datasources.yml"
      - "kubernetes/production/grafana/datasources.yml"
Running Trivy with options: trivy config .

As you can see in the last line, trivy itself is not executed with "--ignorefile" like locally. Maybe this is the problem?

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

2024-11-26T13:47:50Z	INFO	Detected config files	num=11

kubernetes/development/grafana/datasources.yml (kubernetes)
===========================================================
Tests: 9 (SUCCESSES: 8, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'grafana-datasources' in 'default' namespace stores secrets in key(s) or value(s) '{"#     clientSecret"}'
════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
────────────────────────────────────────

Please investigate this issue.

[claudioma82]

I found the problem: the script entrypoint.sh doesn't support files with yaml extension like trivyignore.yaml.

The line 13: ignorefile="./trivyignores" creates the trivyignore in text format, and the following lines of the script basically read the INPUT_TRIVYIGNORES list and write in the ignore file created at line 13.

If the files in the INPUT_TRIVYIGNORES are in text format everything works, but if the files are in .yaml, trivy doesn't understand the yaml format because the ignorefile (created at line 13) doesn't have the .yaml extension.

As a workaround (like I did) you can write your .trivyignore.yml as text file and call it .trivyignore

[vweinberger-bhs]

Thank you for your investigation.

I can confirm that the usage of a .trivyignore text file works. But it is not a real workaround because with .trivyignore.yml you can do much more than with .trivyignore. For example configure a file path, for which a specific misconfiguration should be ignored. By using .trivyignore, you can just ignore the misconfiguration for all files.

Will .trivyignore.yml/yaml be supported in the future?

[vweinberger-bhs]

👍 This issue can be closed.

[nikpivkin]

@simar7 The ignorefile argument accepts multiple files and then merges them into one, since trivy only accepts one ignorefile. For yaml support we would need to use a tool like yq to merge multiple files into one or add a new argument. WDYT?

[simar7]

The ignorefile argument accepts multiple files and then merges them into one,

@nikpivkin if this is the case, then we shouldn't do this as it diverges from Trivy CLI behavior. Was this intentional?

[nikpivkin]

I don't know, it was implemented a long time ago.

[KornevNikita]

Just a note: for some reason for me it only works if I explicitly define the file extension e.g. .trivyignore.txt

[rajithkrishnegowda]

I have encountered an issue where the .trivyignore file is not being respected by Trivy in my GitHub Actions pipeline. I have tried both .trivyignore.txt and .trivyignore with aquasecurity/trivy-action@0.29.0, but the vulnerabilities specified to be ignored are still being reported.

Steps to Reproduce:

• Create a .trivyignore file with the following content:

# This file is used to suppress both:
# Trivy vulnerability scans (under the 'vulnerabilities' section).
# Trivy's linting warnings (under the 'misconfigurations' section).
# For more information about the Trivy Ignore YAML file, please refer to:
# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml
# Justification should be included above each suppression group.

######################## Trivy CVE suppressions ########################
vulnerabilities:
  - id: CVE-2025-0395

• Add the .trivyignore file to the root of the repository.

Configure the GitHub Actions workflow to use Trivy:

- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
  uses: aquasecurity/trivy-action@0.29.0
  with:
    image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
    format: 'json'
    output: 'trivy-docker-results.json'
    exit-code: '1'
    ignore-unfixed: true
    vuln-type: 'os,library'
    severity: 'CRITICAL,HIGH,MEDIUM,LOW'
  env:
    TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

Expected Behavior:

The vulnerability CVE-2025-0395 specified in the .trivyignore file should be ignored during the scan.

Actual Behavior:

The vulnerability CVE-2025-0395 is still being reported in the scan results:

{
  "VulnerabilityID": "CVE-2025-0395",
  "PkgName": "libc-bin",
  "InstalledVersion": "2.35-0ubuntu3.8",
  "Severity": "MEDIUM",
  "Description": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size."
}

Additional Information:

Trivy version: 0.29.0
GitHub Actions runner: ubuntu-22.04
Please let me know if there are any additional steps or configurations required to ensure the .trivyignore file is respected.

Pipeline Results

`Found ignorefile '.trivyignore':
# This file is used to suppress both:
# Trivy vulnerability scans (under the 'vulnerabilities' section).
# Trivy's linting warnings (under the 'misconfigurations' section).
# For more information about the Trivy Ignore YAML file, please refer to:
# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml
# Justification should be included above each suppression group.

######################## Trivy CVE supressions ########################
vulnerabilities:
  - id: CVE-2025-0395` 

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

`Trivy Scan Results:
{
  "VulnerabilityID": "CVE-[20](https://github.com/rajithkrishnegowda/openfl/actions/runs/13262128206/job/37020921274?pr=27#step:11:21)25-0395",
  "PkgName": "libc-bin",
  "InstalledVersion": "2.35-0ubuntu3.8",
  "Severity": "MEDIUM",
  "Description": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size."
}`