From dd58c89ae985409f37c7303fc5f00e156b2d87cf Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 25 Jun 2026 08:14:42 +0200 Subject: [PATCH] Merge global, family and image-specific allowed vulnerabilities --- tools/scan-images.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 9736b3bc74..ed16c91ad0 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -58,18 +58,21 @@ get_images() { # Generate ignored vulnerabilities file generate_trivy_ignore() { local imagename=$1 - local global_vulnerabilities - global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml 2> /dev/null) - local image_vulnerabilities - image_vulnerabilities=$(yq ."$imagename"'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml 2> /dev/null) - - truncate -s 0 .trivyignore # ensure we start from a clean slate - for vulnerability in $global_vulnerabilities; do - echo "$vulnerability" >> .trivyignore - done - for vulnerability in $image_vulnerabilities; do - echo "$vulnerability" >> .trivyignore - done + local family + family="${imagename%%_*}" + local global_vulnerabilities family_vulnerabilities image_vulnerabilities + + global_vulnerabilities=$(yq '.global_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml 2> /dev/null) + if [[ "$family" != "$imagename" ]]; then + family_vulnerabilities=$(yq ".${family}_allowed_vulnerabilities[]" src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml 2> /dev/null) + else + family_vulnerabilities="" + fi + image_vulnerabilities=$(yq ".${imagename}_allowed_vulnerabilities[]" src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml 2> /dev/null) + + for vulnerability in $global_vulnerabilities $family_vulnerabilities $image_vulnerabilities; do + echo "$vulnerability" + done | sort -u > .trivyignore } # Put results into CSV