feat: add support for custom Trivy ignore file (#2750)

afdesk · web-flow · commit ccb35a1699af · 2025-12-03T18:31:45.000-07:00
* fix(helm): improve `trivy.ignoreFile` rendering

* feat: add support a custom trivyignore name

* test: add test to fix the previous behavior for .trivyignore

* chore: clean up unused variable

* chore: use a correct path joining

* chore: use a default vuln image

* test: fix CVE ignoring

* chore(test): remove redundant logic
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -147,6 +147,7 @@ Keeps security report resources updated
 | trivy.httpProxy | string | `nil` | httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | trivy.httpsProxy | string | `nil` | httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | trivy.ignoreFile | string | `nil` | ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line) |
+| trivy.ignoreFileName | string | `""` | ignoreFileName sets the file name that will be mounted inside the scanner container. Defaults to ".trivyignore" if not set. |
 | trivy.ignoreUnfixed | bool | `false` | ignoreUnfixed is the flag to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to true to enable it.  |
 | trivy.image.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace |
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
diff --git a/deploy/helm/templates/configmaps/trivy.yaml b/deploy/helm/templates/configmaps/trivy.yaml
@@ -86,9 +86,10 @@ data:
   {{- end }}
   {{- if .Values.trivy.ignoreFile }}
   trivy.ignoreFile: |
-{{- range .Values.trivy.ignoreFile }}
-    {{ . | indent 4 }}
+  {{- .Values.trivy.ignoreFile | toYaml | nindent 4 }}
   {{- end }}
+  {{- with .Values.trivy.ignoreFileName }}
+  trivy.ignoreFileName: {{ . | quote }}
   {{- end }}
   {{- range $k, $v := .Values.trivy }}
   {{- if hasPrefix "ignorePolicy" $k }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -458,6 +458,10 @@ trivy:
   #   - CVE-1970-0001
   #   - CVE-1970-0002
 
+  # -- ignoreFileName sets the file name that will be mounted inside the scanner container.
+  # Defaults to ".trivyignore" if not set.
+  ignoreFileName: ""
+
   # -- configFile can be used to tell Trivy to use specific options available only in the config file (e.g. Mirror registries).
   configFile: ~
   # configFile:
diff --git a/docs/docs/vulnerability-scanning/trivy.md b/docs/docs/vulnerability-scanning/trivy.md
@@ -110,7 +110,8 @@ EOF
 | `trivy.offlineScan`                          | N/A                                       | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to <search.maven.org> for additional vulnerability information. Set to `"true"` to enable it.                                                                                                                                                                                                                               |
 | `trivy.skipFiles`                            | N/A                                       | A comma separated list of file paths for Trivy to skip traversal.                                                                                                                                                                                                                                                                                                                                            |
 | `trivy.skipDirs`                             | N/A                                       | A comma separated list of directories for Trivy to skip traversal.                                                                                                                                                                                                                                                                                                                                           |
-| `trivy.ignoreFile`                           | N/A                                       | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy.                                                                                                                                                                                                                                                                        |
+| `trivy.ignoreFile`                           | N/A                                       | It specifies the contents of the ignore file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy (one per line). |
+| `trivy.ignoreFileName`                       | `.trivyignore`                             | The file name to mount inside the scanner container for the ignore list. |
 | `trivy.ignorePolicy`                         | N/A                                       | It specifies a fallback [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy.                                                                                                                                                                                                              |
 | `trivy.ignorePolicy.{ns}`                    | N/A                                       | It specifies a namespace specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy.                                                                                                                                                                                                    |
 | `trivy.ignorePolicy.{ns}.{wl}`               | N/A                                       | It specifies a namespace/workload specific [policy](https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-rego) file which allows to customize which vulnerabilities are reported by Trivy.                                                                                                                                                                                           |
diff --git a/pkg/plugins/trivy/config.go b/pkg/plugins/trivy/config.go
@@ -2,6 +2,7 @@ package trivy
 
 import (
 	"fmt"
+	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -31,6 +32,7 @@ const (
 	keyTrivyOfflineScan                         = "trivy.offlineScan"
 	keyTrivyTimeout                             = "trivy.timeout"
 	keyTrivyIgnoreFile                          = "trivy.ignoreFile"
+	keyTrivyIgnoreFileName                      = "trivy.ignoreFileName"
 	keyTrivyIgnorePolicy                        = "trivy.ignorePolicy"
 	keyTrivyInsecureRegistryPrefix              = "trivy.insecureRegistry."
 	keyTrivyNonSslRegistryPrefix                = "trivy.nonSslRegistry."
@@ -343,6 +345,23 @@ func (c Config) IgnoreFileExists() bool {
 	_, ok := c.Data[keyTrivyIgnoreFile]
 	return ok
 }
+
+// GetIgnoreFileName returns the ignore file name to be mounted inside the scanner container.
+// Defaults to the package-level default (".trivyignore") when not explicitly set.
+func (c Config) GetIgnoreFileName() string {
+	if v, ok := c.Data[keyTrivyIgnoreFileName]; ok {
+		v = strings.TrimSpace(v)
+		if v != "" {
+			return v
+		}
+	}
+	return ignoreFileName
+}
+
+// IgnoreFileMountPath returns full mount path for the ignore file.
+func (c Config) IgnoreFileMountPath() string {
+	return path.Join("/etc", "trivy", c.GetIgnoreFileName())
+}
 func (c Config) ConfigFileExists() bool {
 	_, ok := c.Data[keyTrivyConfigFile]
 	return ok
@@ -386,16 +405,16 @@ func (c Config) GenerateIgnoreFileVolumeIfAvailable(trivyConfigName string) (*co
 				Items: []corev1.KeyToPath{
 					{
 						Key:  keyTrivyIgnoreFile,
-						Path: ignoreFileName,
+						Path: c.GetIgnoreFileName(),
 					},
 				},
 			},
 		},
 	}
 	volumeMount := corev1.VolumeMount{
 		Name:      ignoreFileVolumeName,
-		MountPath: ignoreFileMountPath,
-		SubPath:   ignoreFileName,
+		MountPath: c.IgnoreFileMountPath(),
+		SubPath:   c.GetIgnoreFileName(),
 	}
 	return &volume, &volumeMount
 }
diff --git a/pkg/plugins/trivy/config_test.go b/pkg/plugins/trivy/config_test.go
@@ -922,6 +922,44 @@ func TestPlugin_FindIgnorePolicyKey(t *testing.T) {
 	}
 }
 
+func TestConfig_IgnoreFileMountPath(t *testing.T) {
+	tests := []struct {
+		name     string
+		value    string
+		setKey   bool
+		expected string
+	}{
+		{
+			name:     "default name when unset",
+			setKey:   false,
+			expected: "/etc/trivy/.trivyignore",
+		},
+		{
+			name:     "custom file name",
+			setKey:   true,
+			value:    "custom.ignore",
+			expected: "/etc/trivy/custom.ignore",
+		},
+		{
+			name:     "whitespace falls back to default",
+			setKey:   true,
+			value:    "   ",
+			expected: "/etc/trivy/.trivyignore",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := Config{PluginConfig: trivyoperator.PluginConfig{Data: make(map[string]string)}}
+			if tt.setKey {
+				cfg.Data[keyTrivyIgnoreFileName] = tt.value
+			}
+			got := cfg.IgnoreFileMountPath()
+			assert.Equal(t, tt.expected, got)
+		})
+	}
+}
+
 func TestPlugin_GetIncludeDevDeps(t *testing.T) {
 
 	testCases := []struct {
diff --git a/pkg/plugins/trivy/filesystem.go b/pkg/plugins/trivy/filesystem.go
@@ -176,7 +176,7 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi
 		if config.IgnoreFileExists() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_IGNOREFILE",
-				Value: ignoreFileMountPath,
+				Value: config.IgnoreFileMountPath(),
 			})
 		}
 		if config.FindIgnorePolicyKey(workload) != "" {
@@ -406,7 +406,7 @@ func GetPodSpecForClientServerFSMode(ctx trivyoperator.PluginContext, config Con
 		if config.IgnoreFileExists() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_IGNOREFILE",
-				Value: ignoreFileMountPath,
+				Value: config.IgnoreFileMountPath(),
 			})
 		}
 		if config.FindIgnorePolicyKey(workload) != "" {
diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go
@@ -225,7 +225,7 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext,
 		if config.IgnoreFileExists() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_IGNOREFILE",
-				Value: ignoreFileMountPath,
+				Value: config.IgnoreFileMountPath(),
 			})
 		}
 		if config.FindIgnorePolicyKey(workload) != "" {
@@ -460,7 +460,7 @@ func GetPodSpecForClientServerMode(ctx trivyoperator.PluginContext, config Confi
 		if config.IgnoreFileExists() {
 			env = append(env, corev1.EnvVar{
 				Name:  "TRIVY_IGNOREFILE",
-				Value: ignoreFileMountPath,
+				Value: config.IgnoreFileMountPath(),
 			})
 		}
 		if config.FindIgnorePolicyKey(workload) != "" {
diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -119,7 +119,6 @@ const (
 	ignoreFileName              = ".trivyignore"
 	configFileName              = "trivy-config.yaml"
 	configFileMountPath         = "/etc/trivy/" + configFileName
-	ignoreFileMountPath         = "/etc/trivy/" + ignoreFileName
 	ignorePolicyVolumeName      = "ignorepolicy"
 	ignorePolicyName            = "policy.rego"
 	ignorePolicyMountPath       = "/etc/trivy/" + ignorePolicyName
diff --git a/tests/itest/trivy-operator/trivyignore_test.go b/tests/itest/trivy-operator/trivyignore_test.go
@@ -0,0 +1,92 @@
+package trivy_operator
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	v1alpha1 "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/trivy-operator/pkg/operator/etc"
+	"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
+	"github.com/aquasecurity/trivy-operator/tests/itest/helper"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Trivy ignoreFile integration", func() {
+	var ctx context.Context
+
+	BeforeEach(func() {
+		ctx = context.Background()
+	})
+
+	It("hides CVE when set in .trivyignore", func() {
+		const IgnoredCVE = "CVE-2018-14618"
+
+		// Patch trivy-operator-trivy-config ConfigMap to include CVEToIgnore in trivy.ignoreFile
+		operatorConfig, err := etc.GetOperatorConfig()
+		Expect(err).ToNot(HaveOccurred())
+		operatorNamespace, err := operatorConfig.GetOperatorNamespace()
+		Expect(err).ToNot(HaveOccurred())
+
+		cm := &corev1.ConfigMap{}
+		Expect(kubeClient.Get(ctx, clientObjectKey(operatorNamespace, trivyoperator.TrivyConfigMapName), cm)).To(Succeed())
+
+		cm.Data["trivy.ignoreFile"] = fmt.Sprintf("%s\n", IgnoredCVE)
+
+		By("Updating trivy.ignoreFile in ConfigMap")
+		Expect(kubeClient.Update(ctx, cm)).To(Succeed())
+
+		// Brief wait to reduce races where a scan could start before CM is observed by the controller
+		time.Sleep(5 * time.Second)
+
+		// Create an unmanaged Pod using kube-bench image and assert the ignored CVE is not reported
+		pod := helper.NewPod().
+			WithRandomName("trivyignore-kubebench").
+			WithNamespace(inputs.PrimaryNamespace).
+			WithContainer("kube-bench", "mirror.gcr.io/knqyf263/vuln-image:1.2.3", []string{"/bin/sh", "-c", "--"}, []string{"while true; do sleep 30; done;"}).
+			Build()
+
+		By("Creating kube-bench Pod")
+		Expect(inputs.Create(ctx, pod)).To(Succeed())
+		DeferCleanup(func() {
+			_ = inputs.Delete(ctx, pod)
+		})
+
+		By("Waiting for VulnerabilityReport")
+		Eventually(inputs.HasVulnerabilityReportOwnedBy(ctx, pod), inputs.AssertTimeout, inputs.PollingInterval).Should(BeTrue())
+
+		vrList := &v1alpha1.VulnerabilityReportList{}
+		Expect(kubeClient.List(ctx, vrList, clientListOptionsForOwner(pod.ObjectMeta, "Pod"))).To(Succeed())
+		Expect(vrList.Items).ToNot(BeEmpty(), "expected at least one VulnerabilityReport for the pod")
+
+		// The report must not include the ignored CVE ID
+		for _, vr := range vrList.Items {
+			for _, v := range vr.Report.Vulnerabilities {
+				Expect(v.VulnerabilityID).ToNot(Equal(IgnoredCVE), fmt.Sprintf("unexpectedly found ignored CVE %s", IgnoredCVE))
+			}
+		}
+	})
+})
+
+// clientListOptionsForOwner builds ListOptions that match a VulnerabilityReport owned by the given object.
+func clientListOptionsForOwner(obj metav1.ObjectMeta, kind string) crclient.ListOption {
+	sel := labels.Set{
+		trivyoperator.LabelResourceNamespace: obj.Namespace,
+		trivyoperator.LabelResourceKind:      kind,
+		trivyoperator.LabelResourceName:      obj.Name,
+	}
+	return crclient.MatchingLabels(sel)
+}
+
+// clientObjectKey returns a NamespacedName tuple for use with client.Get.
+func clientObjectKey(namespace, name string) types.NamespacedName {
+	return types.NamespacedName{Namespace: namespace, Name: name}
+}
