.trivyignore file is ignored

[vweinberger-bhs]

I'm using aquasecurity/trivy-action@0.29.0 in my GitHub Actions workflow. I want to use a .trivyignore.yml to specify the files which should be ignored.

.trivyignore.yml:

misconfigurations:
  - id: AVD-KSV-0109
    paths:
      - "kubernetes/*/grafana/datasources.yml"

Locally the misconfiguration is ignored, everything works as expected when I am executing:

trivy config . --ignorefile ./.trivyignore.yml

In my GitHub Actions workflow, I set trivyignores: './.trivyignore.yml' for the aquasecurity/trivy-action call in the with block.
The file ./.trivyignore.yml is found, this is the output of the workflow:

Run aquasecurity/trivy-action@0.29.0
  with:
    scan-type: config
    hide-progress: false
    format: table
    exit-code: [1](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:1)
    ignore-unfixed: true
    severity: CRITICAL,HIGH
    token-setup-trivy: ***
    trivyignores: ./.trivyignore.yml
    scan-ref: .
    vuln-type: os,library
    cache-dir: /home/runner/_work/prometheus-prod/prometheus-prod/.cache/trivy
    list-all-pkgs: false
    version: v0.57.1
    cache: true
    skip-setup-trivy: false
Run aquasecurity/setup-trivy@v0.[2](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:2).2
  with:
    version: v0.57.1
    cache: true
    token: ***
    path: $HOME/.local/bin
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~[3](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:3)6 MB (37617819 B)
/usr/bin/tar -xf /home/runner/_work/_temp/a21d65b6-deab-[4](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:4)928-9432-0e6519eb5654/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: trivy-binary-v0.[5](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:5)7.1-Linux-X64
Run echo /home/runner/.local/bin/trivy-bin >> $GITHUB_PATH
Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Run actions/cache@v4
Cache Size: ~0 MB (179237 B)
/usr/bin/tar -xf /home/runner/_work/_temp/cf0ef589-84b1-474[6](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:6)-a253-aa223c060c[7](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:7)e/cache.tzst -P -C /home/runner/_work/prometheus-prod/prometheus-prod --use-compress-program unzstd
Cache restored successfully
Cache restored from key: cache-trivy-2024-11-26
Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
Run entrypoint.sh
Found ignorefile './.trivyignore.yml':
misconfigurations:
  - id: AVD-KSV-010[9](https://xyz/DevOps/prometheus-prod/actions/runs/461121/job/670101#step:4:9)
    paths:
      - "kubernetes/development/grafana/datasources.yml"
      - "kubernetes/production/grafana/datasources.yml"
Running Trivy with options: trivy config .

As you can see in the last line, trivy itself is not executed with "--ignorefile" like locally. Maybe this is the problem?

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

2024-11-26T13:47:50Z	INFO	Detected config files	num=11

kubernetes/development/grafana/datasources.yml (kubernetes)
===========================================================
Tests: 9 (SUCCESSES: 8, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0109 (HIGH): ConfigMap 'grafana-datasources' in 'default' namespace stores secrets in key(s) or value(s) '{"#     clientSecret"}'
════════════════════════════════════════
Storing secrets in configMaps is unsafe

See https://avd.aquasec.com/misconfig/avd-ksv-0109
────────────────────────────────────────

Please investigate this issue.

[claudioma82]

I found the problem: the script entrypoint.sh doesn't support files with yaml extension like trivyignore.yaml.

The line 13: ignorefile="./trivyignores" creates the trivyignore in text format, and the following lines of the script basically read the INPUT_TRIVYIGNORES list and write in the ignore file created at line 13.

If the files in the INPUT_TRIVYIGNORES are in text format everything works, but if the files are in .yaml, trivy doesn't understand the yaml format because the ignorefile (created at line 13) doesn't have the .yaml extension.

As a workaround (like I did) you can write your .trivyignore.yml as text file and call it .trivyignore

[vweinberger-bhs]

Thank you for your investigation.

I can confirm that the usage of a .trivyignore text file works. But it is not a real workaround because with .trivyignore.yml you can do much more than with .trivyignore. For example configure a file path, for which a specific misconfiguration should be ignored. By using .trivyignore, you can just ignore the misconfiguration for all files.

Will .trivyignore.yml/yaml be supported in the future?

[nikpivkin]

@simar7 The ignorefile argument accepts multiple files and then merges them into one, since trivy only accepts one ignorefile. For yaml support we would need to use a tool like yq to merge multiple files into one or add a new argument. WDYT?

[simar7]

The ignorefile argument accepts multiple files and then merges them into one,

@nikpivkin if this is the case, then we shouldn't do this as it diverges from Trivy CLI behavior. Was this intentional?

[nikpivkin]

I don't know, it was implemented a long time ago.

[KornevNikita]

Just a note: for some reason for me it only works if I explicitly define the file extension e.g. .trivyignore.txt

[rajithkrishnegowda]

I have encountered an issue where the .trivyignore file is not being respected by Trivy in my GitHub Actions pipeline. I have tried both .trivyignore.txt and .trivyignore with aquasecurity/trivy-action@0.29.0, but the vulnerabilities specified to be ignored are still being reported.

Steps to Reproduce:

• Create a .trivyignore file with the following content:

# This file is used to suppress both:
# Trivy vulnerability scans (under the 'vulnerabilities' section).
# Trivy's linting warnings (under the 'misconfigurations' section).
# For more information about the Trivy Ignore YAML file, please refer to:
# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml
# Justification should be included above each suppression group.

######################## Trivy CVE suppressions ########################
vulnerabilities:
  - id: CVE-2025-0395

• Add the .trivyignore file to the root of the repository.

Configure the GitHub Actions workflow to use Trivy:

- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
  uses: aquasecurity/trivy-action@0.29.0
  with:
    image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
    format: 'json'
    output: 'trivy-docker-results.json'
    exit-code: '1'
    ignore-unfixed: true
    vuln-type: 'os,library'
    severity: 'CRITICAL,HIGH,MEDIUM,LOW'
  env:
    TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

Expected Behavior:

The vulnerability CVE-2025-0395 specified in the .trivyignore file should be ignored during the scan.

Actual Behavior:

The vulnerability CVE-2025-0395 is still being reported in the scan results:

{
  "VulnerabilityID": "CVE-2025-0395",
  "PkgName": "libc-bin",
  "InstalledVersion": "2.35-0ubuntu3.8",
  "Severity": "MEDIUM",
  "Description": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size."
}

Additional Information:

Trivy version: 0.29.0
GitHub Actions runner: ubuntu-22.04
Please let me know if there are any additional steps or configurations required to ensure the .trivyignore file is respected.

Pipeline Results

`Found ignorefile '.trivyignore':
# This file is used to suppress both:
# Trivy vulnerability scans (under the 'vulnerabilities' section).
# Trivy's linting warnings (under the 'misconfigurations' section).
# For more information about the Trivy Ignore YAML file, please refer to:
# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml
# Justification should be included above each suppression group.

######################## Trivy CVE supressions ########################
vulnerabilities:
  - id: CVE-2025-0395` 

The result is that my configured files in ./.trivyignore.yml, which should be ignored, are not ignored and I get the following error:

`Trivy Scan Results:
{
  "VulnerabilityID": "CVE-[20](https://github.com/rajithkrishnegowda/openfl/actions/runs/13262128206/job/37020921274?pr=27#step:11:21)25-0395",
  "PkgName": "libc-bin",
  "InstalledVersion": "2.35-0ubuntu3.8",
  "Severity": "MEDIUM",
  "Description": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size."
}`

[spark-cu]

Hitting the same issue here.
I'm implementing trivy-action to only scan the changing modules in the repo by setting scan-ref.

.trivyignore.yaml format doesn't work due to above mentioned entrypoint problem.
Cannot use .trivyignore either because I don't want to blanket suppress findings for all modules by default.
Cannot use .trivyignore in the module directory either because of entry point exits with 1 when there's no .trivyignore file found.

Cannot use combination of .trivyignore.yaml via trivy config yaml file either because with scan-ref the path is relative to the module so top level trivy ignore yaml's pathing rules stop applying correctly.

[spark-cu]

Easiest fix for my usecase to support per module suppression rule at the moment is to simply exit 0 instead of exit 1 in entrypoint when .trivyignore file isn't found. PR opened at #451

[jiggyjigsj]

Another workaround i've found that seems to work is by using env variable.

    - name: Scan with Trivy
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: config
        scan-ref: ${{ matrix.folder }}
        tf-vars: ${{ steps.check_files.outputs.tf_var_exists == 'true' && format('{0}/test/test.tfvars', matrix.folder) || '' }}
        output: trivy.txt
        scanners: vuln,secret,misconfig
      env:
        TRIVY_IGNOREFILE: ${{ steps.check_files.outputs.trivy_ignore_exists == 'true' && format('{0}/.trivyignore.yaml', matrix.folder) || '' }}

[apankowski]

We had the same problem and got around it. Not sure if it will work for all use cases presented above, but here goes:

1. Create the .trivyignore.yaml file with exclusions
2. Create trivy.yaml file with the following config:

   ignorefile: .trivyignore.yaml
   

3. Use the action, providing path to the trivy.yaml config file via trivy-config input. By doing so, we are bypassing the limitations of trivyignores input:

      - name: Scan docker image
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.image-resolver.outputs.image_ref }}
          scan-type: 'image'
          output: image-scan-results.json
          format: json
          trivy-config: 'trivy.yaml'
   

This worked like a charm for us, allowing more precise exclusions. HTH

[this-oliver]

This works for me:

      - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
        with:
          scan-type: fs
          scan-ref: .
          scanners: 'vuln,misconfig,secret'
        env:
          TRIVY_IGNOREFILE: .trivyignore.yaml # this is important

For anyone joining later, the issue seems to be related to the file extension of the file being passed into the trivyignores input - action only works with files that have the .yaml extension.

For a more in-depth explanation, see my pr #477