Pass Rancher's VEX report to Trivy to remove known false-positives

Signed-off-by: Guilherme Macedo <[email protected]>
rancher · Sep 27, 2024 · 2523c77 · 2523c77
1 parent bf553be
commit 2523c77
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -49,13 +49,19 @@ jobs:
         TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
         echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"
 
+    - name: Download Rancher's VEX Hub report
+      run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
+
     - name: Run Trivy on image
       uses: aquasecurity/[email protected]
       with:
         image-ref: '${{ steps.build-image.outputs.TAG }}'
         format: 'table'
         severity: "HIGH,CRITICAL"
         output: "trivy-image-report.txt"
+      env:
+        TRIVY_VEX: rancher.openvex.json
+        TRIVY_SHOW_SUPPRESSED: true
 
     - name: Run Trivy on filesystem
       uses: aquasecurity/[email protected]
@@ -64,6 +70,9 @@ jobs:
         scan-ref: '.'
         severity: "HIGH,CRITICAL"
         output: "trivy-fs-report.txt"
+      env:
+        TRIVY_VEX: rancher.openvex.json
+        TRIVY_SHOW_SUPPRESSED: true
 
     - name: Upload Trivy Reports
       uses: actions/upload-artifact@v4
@@ -113,4 +122,4 @@ jobs:
     steps:
       - name: Report Failure
         run: |
-          gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"
+          gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"