securefederatedai · rahulga1 · Feb 12, 2025 · Feb 11, 2025 · Feb 11, 2025 · Feb 12, 2025
@@ -27,7 +27,7 @@ jobs:
           docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
           format: 'sarif'
@@ -52,17 +52,24 @@ jobs:
           --ignore-unfixed \
           --vuln-type os,library \
           --severity CRITICAL,HIGH,MEDIUM,LOW \
+          --ignorefile .trivyignore.yaml \
           --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
           .
 
+      - name: Display Trivy Scan Results
+        if: failure()  # Ensure this step runs regardless of the previous step's outcome
+        run: |
+          echo "Trivy Scan Results:"
+          cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
+
       - name: Upload Code Vulnerability Scan Results
         uses: actions/upload-artifact@v4
         with:
           name: trivy-code-report-json
           path: trivy-code-results.json
 
       - name: Run Trivy vulnerability scanner for Docker image (JSON Output)
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
           format: 'json'
@@ -71,9 +78,16 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          ignorefile: '.trivyignore.yaml'
         env:
           TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
 
+      - name: Display Trivy Scan Results
+        if: failure()  # Ensure this step runs regardless of the previous step's outcome
+        run: |
+          echo "Trivy Scan Results:"
+          cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
+
       - name: Upload Docker Vulnerability Scan
         uses: actions/upload-artifact@v4
         with:
@@ -88,17 +102,24 @@ jobs:
           --ignore-unfixed \
           --vuln-type os,library \
           --severity CRITICAL,HIGH,MEDIUM,LOW \
+          --ignorefile .trivyignore.yaml \
           --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
           .
 
+      - name: Display Trivy Scan Results
+        if: failure()  # Ensure this step runs regardless of the previous step's outcome
+        run: |
+          echo "Trivy Scan Results:"
+          cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
+
       - name: Upload Code Vulnerability Scan Results
         uses: actions/upload-artifact@v4
         with:
           name: trivy-code-spdx-report-json
           path: trivy-code-spdx-results.json
 
       - name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
           format: 'spdx-json'
@@ -107,9 +128,16 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          ignorefile: '.trivyignore.yaml'
         env:
           TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
 
+      - name: Display Trivy Scan Results
+        if: failure()  # Ensure this step runs regardless of the previous step's outcome
+        run: |
+          echo "Trivy Scan Results:"
+          cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
+
       - name: Upload Docker Vulnerability Scan
         uses: actions/upload-artifact@v4
         with:

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,13 @@
+# This file is used to suppress both:
+# * Trivy vulnerability scans (under the 'vulnerabilities' section).
+# * Trivy's linting warnings (under the 'misconfigurations' section).
+# For more information about the Trivy Ignore YAML file, please refer to:
+# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml
+# Justification should be included above each suppression group.
+
+######################## Trivy CVE supressions ########################
+vulnerabilities:
+  #   * Relevant packages:: libc-bin
+  #   * These packages are part of Intel's latest official Ubuntu base image.
+  - id: CVE-2025-0395
+