Add support for .trivyignore files bundled inside images

[sberlin]

Description

The container ecosystem would benefit from .trivyignore(.yml) files being evaluated centrally. At the moment it's not possible to maintain a platform with Harbor or trivy-operator that allows ignoring vulnerabilities per image. For Harbor only globally or per project. For the operator by asking admins to configure policy files per namespace/workload and maybe granting access to the values files containing them.

We need to support triaging in many teams with individual assessments of criticality, which can look different for each application deployed as an image. The teams shall be allowed to configure ignore files without asking admins to change configuration of the platform. Instead Trivy should read this information in a standardized way. In our minds that would be easiest by placing /.trivyignore(.yml) file in the root directory of an image as part of the build process. Trivy then reads this file regardless of instantiation in Harbor, the operator or other tooling integrating with Trivy to manage images.

Feature requests with individual suggestions were created already for those two tools:

aquasecurity/trivy-operator#1857
goharbor/harbor#19143

What do you think?

Target

Container Image

Scanner

Vulnerability

[knqyf263]

Trivy supports SBOM discovery by leveraging the Referrers API.
https://aquasecurity.github.io/trivy/v0.50/docs/target/container_image/#discovery

And we plan to expand the discovery to VEX. You don't need to build a new image. You can just attach VEX to your image in the OCI registry. Does it meet your requirements?

[sberlin]

Thank you for the suggestion. We're not using SBOM or VEX capabilities in Trivy, yet. We need some time for evaluation, but from the first looks of it, VEX is not integrated with Harbor or the operator's ways of ignoring vulnerabilities. If it's also early for you, they may follow at some point. Though the scope of VEX seems much bigger than what I suggested.

[knqyf263]

Harbor already supports SBOM attachment, which is called accessories. You can watch our recent presentation.
https://www.youtube.com/watch?v=ABbds5-zSqk

I believe VEX will be also supported shortly.

[sberlin]

Thanks, I like Trivy's support for VEX and assume it will be integrated in another milestone of Harbor. First, SBOM needs to be delivered in 2.11. We will go for separate ignore lists for now.