New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ignoring the severity when we use ignore-unfixed: false #192
Comments
@AndreyLevchenko I feel like it is a critical issue. Could you help fix it? |
@knqyf263 @AndreyLevchenko, any luck on this issue fix? |
@AndreyLevchenko worked on a fix which should be in the latest release of the trivy action https://github.com/aquasecurity/trivy-action/releases/tag/0.9.0 , please give it a try. Reopen if issues still persists. Thanks! |
@AndreyLevchenko, thanks, for adding the changes. I performed the below tests. Test 1:
output: Published all severity results: LOW, MEDIUM, HIGH, CRITICAL etc... these results have the issue which are in the screenshot TEST 2:
output: Published the CRITICAL, HIGH, and MEDIUM reports but it has not captured the attached results for the ECR image. AWS captured these results. The same test I did locally on my mac with the commands. Same results.
Please let me know if you need more information, thank you in advance. Cc'd @simar7 |
@simar7 @AndreyLevchenko Could you please provide an update? |
I've pinged @AndreyLevchenko to see if he can take another look at it. |
@kmganna |
I am running the trivy vulnerability scan on the docker image in the git action pipeline.
Below is the code.
- name: Run Trivy vulnerability scanner on a container uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: image-ref: '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}' format: 'sarif' severity: 'CRITICAL,HIGH,MEDIUM' output: 'trivy-container-results.sarif' ignore-unfixed: true timeout: ${{ inputs.timeout }}
The above code is working and giving the results based on the severity of the application and it is ignoring unfixed OS fixes(HIGH, MEDIUM and CRITICAL) and LOW fixes as well. Now if I make ignore-unfixed: false then it is giving all the ignored OS fixes along with "LOW severity".
Requirement is:
If I use ignore-unfixed: false and there is a severity CRITICAL, HIGH, and MEDIUM. The output should be application issues and OS issues in the output file based on severity. It should not be LOW and other issues.
Please suggest how to achieve it.
For reference:
The issue has been discussed in the below section
aquasecurity/trivy#1687 (reply in thread)
The text was updated successfully, but these errors were encountered: