jv
/
my-homelab-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add scoped Trivy exception for Gitea

This commit is contained in:
juvdiaz 2026-05-25 14:35:52 -06:00
parent 62d52886f0
commit f7e3065cda
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.gitea/workflows/homelab-main.yml
View File

@ -114,10 +114,15 @@ jobs:
printf '{}\n' > "${trivy_docker_config}/config.json" printf '{}\n' > "${trivy_docker_config}/config.json"
export DOCKER_CONFIG="${trivy_docker_config}" export DOCKER_CONFIG="${trivy_docker_config}"
trivy_ignore_args=()
if [[ -f .trivyignore.yaml ]]; then
trivy_ignore_args=(--ignorefile .trivyignore.yaml)
fi
"${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \ "${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
--exit-code 0 --no-progress --cache-dir "${trivy_cache}" . --exit-code 0 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
"${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \ "${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
--exit-code 1 --no-progress --cache-dir "${trivy_cache}" . --exit-code 1 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
- name: Validate shell, Kubernetes manifests, and OpenTofu stacks - name: Validate shell, Kubernetes manifests, and OpenTofu stacks
run: | run: |

9
.trivyignore.yaml Normal file
View File

@ -0,0 +1,9 @@
misconfigurations:
- id: KSV-0014
paths:
- apps/gitea/deployment.yaml
statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.
- id: KSV-0118
paths:
- apps/gitea/deployment.yaml
statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.