-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature/ignore-unfixed #160
base: master
Are you sure you want to change the base?
feature/ignore-unfixed #160
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to update dist with docker buildx bake pre-checkin
, see https://github.com/crazy-max/ghaction-container-scan/blob/master/.github/CONTRIBUTING.md#submitting-a-pull-request
Can you also squash your commits please?
### Ignore Unfixed Vulnerabilities | ||
|
||
By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them: | ||
|
||
```yaml | ||
name: ci | ||
|
||
on: | ||
push: | ||
|
||
jobs: | ||
scan: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- | ||
name: Checkout | ||
uses: actions/checkout@v3 | ||
- | ||
name: Build | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: . | ||
push: true | ||
tags: user/app:latest | ||
- | ||
name: Scan for vulnerabilities | ||
uses: crazy-max/ghaction-container-scan@v3 | ||
with: | ||
image: user/app:latest | ||
ignore_unfixed: true | ||
``` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't think we need a specific usage example just for this but we should have this in the inputs table: https://github.com/crazy-max/ghaction-container-scan?tab=readme-ov-file#inputs
ignore_unfixed: | ||
description: 'Ignore Unfixed CVEs' | ||
default: 'false' | ||
required: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this right before annotations
?
@@ -28,6 +28,7 @@ export interface Inputs { | |||
severityThreshold?: string; | |||
annotations?: boolean; | |||
githubToken?: string; | |||
ignoreUnfixed?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, move this right before annotations
@@ -39,7 +40,8 @@ export async function getInputs(): Promise<Inputs> { | |||
severity: core.getInput('severity'), | |||
severityThreshold: core.getInput('severity_threshold'), | |||
annotations: core.getBooleanInput('annotations'), | |||
githubToken: core.getInput('github_token') | |||
githubToken: core.getInput('github_token'), | |||
ignoreUnfixed: core.getBooleanInput('ignore_unfixed') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
revert change
revert change
Adds the --ignore-unfixed CLI flag partially covering #43
Ignore Unfixed Vulnerabilities
By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them:
All of the steps in "submitting a pull request" pass except for
docker buildx bake validate
which even after runningdocker buildx bake build
and/or deletingdist/index.js
anddist/index.js.map
still doesn't resolve