Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature/ignore-unfixed #160

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

Rhernandez513
Copy link

@Rhernandez513 Rhernandez513 commented Oct 17, 2024

Adds the --ignore-unfixed CLI flag partially covering #43

Ignore Unfixed Vulnerabilities

By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them:

name: ci

on:
  push:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: user/app:latest
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: user/app:latest
          ignore_unfixed: true

All of the steps in "submitting a pull request" pass except for docker buildx bake validate which even after running docker buildx bake build and/or deleting dist/index.js and dist/index.js.map still doesn't resolve

image

@Rhernandez513 Rhernandez513 marked this pull request as ready for review October 17, 2024 15:59
Copy link
Owner

@crazy-max crazy-max left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to update dist with docker buildx bake pre-checkin, see https://github.com/crazy-max/ghaction-container-scan/blob/master/.github/CONTRIBUTING.md#submitting-a-pull-request

Can you also squash your commits please?

Comment on lines +133 to +164
### Ignore Unfixed Vulnerabilities

By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them:

```yaml
name: ci

on:
push:

jobs:
scan:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Build
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: user/app:latest
-
name: Scan for vulnerabilities
uses: crazy-max/ghaction-container-scan@v3
with:
image: user/app:latest
ignore_unfixed: true
```

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think we need a specific usage example just for this but we should have this in the inputs table: https://github.com/crazy-max/ghaction-container-scan?tab=readme-ov-file#inputs

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
Comment on lines +37 to +40
ignore_unfixed:
description: 'Ignore Unfixed CVEs'
default: 'false'
required: false
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move this right before annotations?

@@ -28,6 +28,7 @@ export interface Inputs {
severityThreshold?: string;
annotations?: boolean;
githubToken?: string;
ignoreUnfixed?: boolean;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, move this right before annotations

@@ -39,7 +40,8 @@ export async function getInputs(): Promise<Inputs> {
severity: core.getInput('severity'),
severityThreshold: core.getInput('severity_threshold'),
annotations: core.getBooleanInput('annotations'),
githubToken: core.getInput('github_token')
githubToken: core.getInput('github_token'),
ignoreUnfixed: core.getBooleanInput('ignore_unfixed')
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

README.md Outdated Show resolved Hide resolved
revert change
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants