docs: filtering vulnerabilities with trivy (#251)

Co-authored-by: Sertaç Özercan <[email protected]>
project-copacetic · Aug 16, 2023 · ae0b05b · ae0b05b
1 parent cbf4117
commit ae0b05b
Show file tree

Hide file tree

Showing 9 changed files with 65 additions and 0 deletions.
diff --git a/website/docs/troubleshooting.md b/website/docs/troubleshooting.md
@@ -0,0 +1,64 @@
+---
+title: Troubleshooting
+---
+
+## Filtering Vulnerabilities
+
+You might want to filter/ignore some of the vulnerabilities while patching. To do so, you need to first filter those undesired vulnerabilities from your scanner output.
+
+For Trivy, vulnerabilities can be filtered by the following 2 ways:
+
+### Rego Policy
+
+An example rego file which demonstrates how to ignore certain Vulnerability IDs or Package Names:
+
+```bash
+$ cat trivy_ignore.rego
+
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+
+# Ignore the following Vulnerability IDs
+ignore_vulnerability_ids := {
+   "CVE-2018-14618"
+}
+# Ignore the following Package Names
+ignore_pkgs := {"bash", "vim"}
+
+
+# For ignoring vulnID
+ignore {
+   input.VulnerabilityID == ignore_vulnerability_ids[_]
+}
+# For ignoring pkgName
+ignore {
+	input.PkgName == ignore_pkgs[_]
+}
+
+```
+
+After adding the above rego file, run the image scan with the `--ignore-policy` flag followed by the file name to ignore them while scanning:
+
+```bash
+trivy image --ignore-policy trivy_ignore.rego ruby:2.4.0
+```
+In the above example, the vulnerability "CVE-2018-14618"  and the packages "bash" & "vim" are ignored while scanning, and hence patching the image.
+
+### Ignore File
+
+Use a `.trivyignore` file to list all the vulnerabilities you want to ignore.
+
+Example:
+```bash
+$ cat .trivyignore
+
+# Accept the risk
+CVE-2018-14618
+```
+In the above example, the vulnerability CVE-2018-14618 is ignored while scanning, and hence while patching the image.
+
+For a more detailed explanation on how to ignore certain vulnerabilities with Trivy, please refer to the official documentation [here](https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/).
diff --git a/website/sidebars.js b/website/sidebars.js
@@ -17,6 +17,7 @@ const sidebars = {
     'introduction',
     'installation',
     'quick-start',
+    'troubleshooting',
     'design',
     'contributing',
     'code-of-conduct'

diff --git a/...ed_docs/version-v0.1.0/code-of-conduct.md → ...ed_docs/version-v0.1.x/code-of-conduct.md b/...ed_docs/version-v0.1.0/code-of-conduct.md → ...ed_docs/version-v0.1.x/code-of-conduct.md
diff --git a/...ioned_docs/version-v0.1.0/contributing.md → ...ioned_docs/version-v0.1.x/contributing.md b/...ioned_docs/version-v0.1.0/contributing.md → ...ioned_docs/version-v0.1.x/contributing.md
diff --git a/...e/versioned_docs/version-v0.1.0/design.md → ...e/versioned_docs/version-v0.1.x/design.md b/...e/versioned_docs/version-v0.1.0/design.md → ...e/versioned_docs/version-v0.1.x/design.md
diff --git a/...ioned_docs/version-v0.1.0/installation.md → ...ioned_docs/version-v0.1.x/installation.md b/...ioned_docs/version-v0.1.0/installation.md → ...ioned_docs/version-v0.1.x/installation.md
diff --git a/...ioned_docs/version-v0.1.0/introduction.md → ...ioned_docs/version-v0.1.x/introduction.md b/...ioned_docs/version-v0.1.0/introduction.md → ...ioned_docs/version-v0.1.x/introduction.md
diff --git a/...sioned_docs/version-v0.1.0/quick-start.md → ...sioned_docs/version-v0.1.x/quick-start.md b/...sioned_docs/version-v0.1.0/quick-start.md → ...sioned_docs/version-v0.1.x/quick-start.md
diff --git a/...ned_sidebars/version-v0.1.0-sidebars.json → ...ned_sidebars/version-v0.1.x-sidebars.json b/...ned_sidebars/version-v0.1.0-sidebars.json → ...ned_sidebars/version-v0.1.x-sidebars.json