bugfix: .trivyignore.yaml must exist as of trivy 0.57.0 (#11)

* bugfix: .trivyignore.yaml must exist as of trivy 0.57.0

* bugfix: make trivyignore a variable and update vuln-type switch

* update docs

* trivyignore file may not be empty

README.md

@@ -154,5 +154,5 @@ To make sure you're doing a fresh run and instruct trivy to download a fresh vul
 You can add more variables corresponding to the CLI switches as [documented on the trivy homepage](https://aquasecurity.github.io/trivy/v0.48/docs/references/configuration/cli/trivy/)  
 NOTE: This link points to the reference as of v0.48 - December 2023, make sure to check the latest version for changes in newer versions.
 
-Last, but not least, you can set up a .trivyignore file in your project's root directory and enter one Vulnerability-ID per line to ignore that specific vulnerability. See the [trivy documentation](https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#by-finding-ids) for more (and up-to-date) info.  
+Last, but not least, you can set up a .trivyignore.yaml file in your project's root directory and enter one Vulnerability-ID per line to ignore that specific vulnerability. See the [trivy documentation](https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#by-finding-ids) for more (and up-to-date) info.  
 NOTE: This link points to the reference as of v0.48 - December 2023, make sure to check the latest version for changes in newer versions.

security-checks.template.yaml

@@ -17,19 +17,22 @@
     DIRECTORY: "./"
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
+    TRIVY_IGNOREFILE_DIR: "./.trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
+    # Create trivyignore.yaml if it doesn't exist yet
+    - if [ ! -e ${TRIVY_IGNOREFILE_DIR} ]; then echo "ambient_trivyignore_placeholder: None" > ${TRIVY_IGNOREFILE_DIR}; fi
   allow_failure: true
   script:
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
+    - trivy image --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
+    - trivy filesystem --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
     # Report results as table
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format table $IMAGE || IMAGE_CODE=$?
+    - trivy image --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format table $IMAGE || IMAGE_CODE=$?
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
+    - trivy filesystem --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
     # Combine report
     - apk update && apk add jq sed
     - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > ${FILENAME}

security-checks.yaml

@@ -20,19 +20,22 @@ container_scanning:
     DIRECTORY: "./"
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
+    TRIVY_IGNOREFILE_DIR: "./.trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
+    # Create trivyignore.yaml if it doesn't exist yet
+    - if [ ! -e ${TRIVY_IGNOREFILE_DIR} ]; then echo "ambient_trivyignore_placeholder: None" > ${TRIVY_IGNOREFILE_DIR}; fi
   allow_failure: true
   script:
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
+    - trivy image --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
+    - trivy filesystem --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
     # Report results as table
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format table $IMAGE || IMAGE_CODE=$?
+    - trivy image --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format table $IMAGE || IMAGE_CODE=$?
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
+    - trivy filesystem --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
     # Combine report
     - apk update && apk add jq sed
     - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > ${FILENAME}