Scoped inline filtering

[alex-broad]

Description

In a similar manner to #4022, as of v0.41.0, while trivy supports inline filtering (#2961), I found the comment had to be on the same line as the error to ignore. This doesn't work well and is impossible to support in multiline RUN commands in Dockerfiles, for example:

RUN apt-get update \
    && apt-get install -y --no-install-suggests \
    package-a-b-c=1.2.3 \
    ...

Would need to become:

RUN apt-get update \
    && apt-get install -y --no-install-suggests \ #trivy:ignore:AVD-DS-0029 \
    package-a-b-c=1.2.3 \
    ...

which isn't a valid multiline command.

Placing it before the RUN line as you might expect does not suppress the issue.

The current workaround is to disable it globally in the .trivyignore file but this is not ideal as we generally want to be prompted for these issues and disable them by exception.

Target

Filesystem

Scanner

Misconfiguration

[simar7]

Thanks we will look into this.

Could you clarify this:

The current workaround is to disable it globally in the .trivyignore file but this is not ideal as we generally want to be prompted for these issues and disable them by exception.

Are you saying you only want to disable a particular check for a certain file rather than disable globally?

[alex-broad]

Thanks. Yes, ideally we'd like to disable per instance rather than globally. To be clear, I believe this problem affects any trivy filtering one might wish to do in a Dockerfile with multiline RUN commands.

[simar7]

Thanks. There is a broader discussion here, to which I'll add this to #3620

[alex-broad]

Oh hang on, did you mean to reference this discussion or another one in your last comment?

[simar7]

Sorry fixed the link now.