docs(terraform): improve documentation for filtering by inline comments #6284
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simar7
reviewed
Mar 8, 2024
| In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). | ||
| Trivy supports ignoring misconfigured resources by inline comments for Terraform configuration files only. | ||
|
|
||
| In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` or `tfsec:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments). |
There was a problem hiding this comment.
Suggested change
| In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` or `tfsec:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments). | |
| In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments). |
simar7
reviewed
Mar 8, 2024
|
|
||
| The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token. | ||
| You can add multiple ignores on the same comment line. | ||
| The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from metadata is not case sensitive, you can specify `AVD-AWS-0089` or `avd-aws-0089` and it will work the same way. |
There was a problem hiding this comment.
Suggested change
| The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from metadata is not case sensitive, you can specify `AVD-AWS-0089` or `avd-aws-0089` and it will work the same way. | |
| The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from metadata is not case sensitive, you can specify `AVD-AWS-0089` or `avd-aws-0089` as it's case insensitive. |
simar7
reviewed
Mar 8, 2024
Comment on lines
425
to
426
| !!! tip | ||
| Long ID is preferred because it is a readable format. |
There was a problem hiding this comment.
While it's more readable, I would argue that it's more error prone so I'm not sure if we should suggest users to use it over something like AVD ID.
Suggested change
| !!! tip | |
| Long ID is preferred because it is a readable format. |
simar7
approved these changes
Mar 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The documentation lacked information on all the options for filtering by inline comments
Checklist