Configuring "Ignoring vulnerabilities" in workflow

[kvmw]

It would be a nice option to let user configure the list of vulnerabilities to ignore as action input. this can be either inline or the path to a file that contains the list.

either:

- uses: azure/container-scan@v0
  with:
    image-name:  http://myimage:latest
    username: changeit
    password: changit
    allowedlist:   # pass the list inline
     - CVE-2003-1307
     - CVE-2007-0086
     - CVE-2019-3462
     - CVE-2011-3374

or:

- uses: azure/container-scan@v0
  with:
    image-name:  http://myimage:latest
    username: changeit
    password: changit
    allowedlist: /path/to/allowedlist.yaml. # the file that contains the list of vulnerabilities to ignore. 

Scenario 1: Using the same workflow against multiple versions of the same image, one might want to ignore some vulnerabilities in older versions but not in the latest one for example.

Scenario 2: Using the action multiple times for different images in a single repo/workflow, one might one to ignore some vulnerabilities for one image not the other ones.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[kvmw]

any update on this?

[ajinkya599]

We currently support an ignore file in the path .github/containerscan/allowedlist.yaml.
In the v1 proposal, we have image specific allowedlisting. I think that can address the ask. What do you think?
cc: @pulkitaggarwl

[kvmw]

@ajinkya599 , v1-proposal addresses the second scenario in my request but not the the first one, unless we include the image tag/version in the allowedlist.yaml too. for example:

general:
   vulnerabilities:
   - CVE-2003-1307
image-name-1@latest:
   vulnerabilities:
   - CVE-2003-2207 
image-name-1@v1:
   vulnerabilities:
   - CVE-2003-3232
image-name-1@v2:
  - ...  

To explain our situation:
we have some versions of the images out there used by customers. we keep scanning them to find potential new CVEs but we can only fix those CVEs be shipping the new version of our images.
We have single workflow scanning latest version of the image (e.g. image:latest) as well as some old versions (e.g. image:v1 and image:v2).
Imagine a new CVE is impacting image:latest (under development) and image:v1 (used by customer). we will fix the issue in latest image but we need to ignore it in v1. (same image, different versions, different ignore list).

Separating the older images workflow from the latest one that is under development can be a workaround for this issue but it seems too much work compare to just being able to set a path (or inline list) for the action.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[patrick-stephens]

A per image option would be useful but even better to include in the inputs. Having a single file currently is not really flexible enough.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.