kagenti/.trivyignore at main · rh-dnagornuks/kagenti · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Trivy Ignore File
# These are intentional exceptions with documented rationale
# Use AVD- prefix format (e.g., AVD-DS-0002, AVD-KSV-0041)

# AVD-DS-0002: mlflow-oauth-secret runs in OpenShift with random UID
# The Dockerfile sets g=u permissions for OpenShift compatibility (random UID assignment).
# Adding a fixed USER directive would conflict with OpenShift's security model.
# File: kagenti/auth/mlflow-oauth-secret/Dockerfile
# Note: This is a global suppression (Trivy doesn't support per-file suppressions for DS-* checks)
AVD-DS-0002

# HyperShift CI ClusterRole RBAC permissions
# The k8s-ci-clusterrole.yaml has documented security notes explaining why broad permissions
# are required:
# 1. Kubernetes RBAC doesn't support namespace prefix wildcards
# 2. HyperShift dynamically creates control plane namespaces (clusters-<name>)
# 3. The operator, not CI, creates these namespaces so we can't pre-create RoleBindings
# 4. Permissions are minimized to specific resources (not wildcards)
# See file comments for full security analysis: .github/scripts/hypershift/policies/k8s-ci-clusterrole.yaml

# AVD-KSV-0041: ClusterRole managing secrets (required for HyperShift kubeconfig)
AVD-KSV-0041

# AVD-KSV-0048: ClusterRole managing pods/deployments (required for CI cleanup)
AVD-KSV-0048

# AVD-KSV-0049: ClusterRole managing configmaps (required for Kagenti config)
AVD-KSV-0049

# Sandbox deployment manifests use trusted registries:
# - image-registry.openshift-image-registry.svc:5000: OpenShift internal build registry
# - registry.redhat.io: Red Hat certified images
# - ghcr.io/berriai: LiteLLM upstream
AVD-KSV-0125

# Internal agent base image uses :latest (built on-cluster, no external tag)
AVD-DS-0001