[Feature Proposal] Support '--ignore-unfixed' for Trivy container scanning
Release notes
Support --ignore-unfixed
for Trivy container scanning.
Problem to solve
Currently when using the standard container scanning job all vulnerabilities are listed, including fixable and non-fixable. Non-fixable are vulnerabilities which are known but don't have an updated OS package that fixes the issue.
Due to this the security report carries a lot of noise, vulnerabilities we can't really fix. This implies spending more time and effort triaging the report.
A possible solution would be ignoring these vulnerabilities, but that would be an extremely bad idea because we would miss the update when the fix actually comes out.
Proposal
Trivy, the standard container scanner utility being used by GitLab's container scanning, already provides a --ignore-unfixed
CLI switch that enables the desired behaviour.
GitLab only needs to somehow allow the use of the flag.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
- Allison (Application Ops)
- Priyanka (Platform Engineer)
Implementation plan
-
backend Extend scan_command
method inlib/gcs/trivy.rb
to support adding--ignore-unfixed
whenCS_IGNORE_UNFIXED
variable is set totrue
(default:false
), -
backend Extend scan_command
method inlib/gcs/grype.rb
to support adding--only-fixed
whenCS_IGNORE_UNFIXED
variable is set totrue
(default:false
), -
backend Add new method ignore_unfixed_vulnerabilities?
inlib/gcs/environment.rb
to encapsulate fetchingCS_IGNORE_UNFIXED
variable (default:false
),