Skip to content

update trivy config #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wojcik91 merged 4 commits into from
Jan 12, 2026
Merged

update trivy config #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e8800ae
update nix flake
wojcik91 Jan 12, 2026
6caf034
add trivyignore config
wojcik91 Jan 12, 2026
e3227c6
use ignore config in CI pipelines
wojcik91 Jan 12, 2026
7da90a7
update cargo deny config
wojcik91 Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/build-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ jobs:

- name: Scan image with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
format: "table"
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,12 @@ jobs:

- name: Scan code with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
scan-type: 'fs'
scan-ref: '.'
scan-type: "fs"
scan-ref: "."
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH,MEDIUM"
Expand Down
32 changes: 22 additions & 10 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,40 +34,52 @@ jobs:

- name: Create SBOM with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
scan-type: 'fs'
format: 'spdx-json'
scan-type: "fs"
format: "spdx-json"
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json"
scan-ref: '.'
scan-ref: "."
severity: "CRITICAL,HIGH,MEDIUM,LOW"
scanners: "vuln"

- name: Create docker image SBOM with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
scan-type: 'image'
format: 'spdx-json'
scan-type: "image"
format: "spdx-json"
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json"
severity: "CRITICAL,HIGH,MEDIUM,LOW"
scanners: "vuln"

- name: Create security advisory file with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
scan-type: 'fs'
format: 'json'
scan-type: "fs"
format: "json"
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json"
scan-ref: '.'
scan-ref: "."
severity: "CRITICAL,HIGH,MEDIUM,LOW"
scanners: "vuln"

- name: Create docker image security advisory file with Trivy
uses: aquasecurity/trivy-action@0.33.1
env:
TRIVY_SHOW_SUPPRESSED: 1
TRIVY_IGNOREFILE: "./.trivyignore.yaml"
with:
image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
scan-type: 'image'
format: 'json'
scan-type: "image"
format: "json"
output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json"
severity: "CRITICAL,HIGH,MEDIUM,LOW"
scanners: "vuln"
Expand Down
4 changes: 4 additions & 0 deletions .trivyignore.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
vulnerabilities:
- id: GHSA-585q-cm62-757j
expired_at: 2026-02-12
statement: "No fixed version available yet. The Mullvad team intends to fix it in the coming weeks: https://github.com/mullvad/mnl-rs/issues/15"
5 changes: 4 additions & 1 deletion deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,10 @@ feature-depth = 1
#db-urls = ["https://github.com/rustsec/advisory-db"]
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [{ id = "RUSTSEC-2024-0436", reason = "Unmaintained" }]
ignore = [
{ id = "RUSTSEC-2024-0436", reason = "Unmaintained" },
{ id = "RUSTSEC-2025-0142", reason = "Awaiting upstream patch" },
]
# If this is true, then cargo deny will use the git executable to fetch advisory database.
# If this is false, then it uses a built-in git library.
# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
Expand Down
12 changes: 6 additions & 6 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
rustToolchain
libnftnl
libmnl
trivy
];
};
});
Expand Down