Add scoped Trivy exception for Gitea

2026-05-25 14:35:52 -06:00 · 2026-05-25 14:35:52 -06:00 · f7e3065cda
parent 62d52886f0
commit f7e3065cda
2 changed files with 16 additions and 2 deletions
--- a/.gitea/workflows/homelab-main.yml
+++ b/.gitea/workflows/homelab-main.yml
@ -114,10 +114,15 @@ jobs:
          printf '{}\n' > "${trivy_docker_config}/config.json"
          export DOCKER_CONFIG="${trivy_docker_config}"

+          trivy_ignore_args=()
+          if [[ -f .trivyignore.yaml ]]; then
+            trivy_ignore_args=(--ignorefile .trivyignore.yaml)
+          fi
+
          "${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
-            --exit-code 0 --no-progress --cache-dir "${trivy_cache}" .
+            --exit-code 0 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
          "${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
-            --exit-code 1 --no-progress --cache-dir "${trivy_cache}" .
+            --exit-code 1 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .

      - name: Validate shell, Kubernetes manifests, and OpenTofu stacks
        run: |
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@ -0,0 +1,9 @@
+misconfigurations:
+  - id: KSV-0014
+    paths:
+      - apps/gitea/deployment.yaml
+    statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.
+  - id: KSV-0118
+    paths:
+      - apps/gitea/deployment.yaml
+    statement: Gitea needs a separate tested migration to the rootless image because its current persistent volume layout uses the standard image /data path and OpenSSH setup.