Replace dead Prowler IaC mutelist with Trivy ignorefile shim
Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through. The original attempt with --mutelist-file silently no-op'd. Add a wrapper around trivy in our image that injects --ignorefile $TRIVY_IGNOREFILE on `fs` subcommands; switch the IaC cronjob to mount a Trivy-format trivyignore.yaml and set the env var. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
0510a8151c
commit
2daf6291b7
6 changed files with 69 additions and 46 deletions
|
|
@ -44,10 +44,28 @@ RUN ARCH=$(dpkg --print-architecture) \
|
|||
&& apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
|
||||
&& wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \
|
||||
&& tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
|
||||
&& chmod +x /usr/local/bin/trivy \
|
||||
&& mv /usr/local/bin/trivy /usr/local/bin/trivy.real \
|
||||
&& chmod +x /usr/local/bin/trivy.real \
|
||||
&& rm /tmp/trivy.tar.gz \
|
||||
&& apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Shim: Prowler's IaC provider invokes `trivy fs` directly with no
|
||||
# --ignorefile flag, so any TRIVY_IGNOREFILE the user sets is ignored.
|
||||
# This wrapper injects --ignorefile when the env var points at a real
|
||||
# file and the invocation is `trivy fs ...`. Other subcommands and
|
||||
# global-only invocations (--version, --help) pass through unchanged.
|
||||
# TODO(upstream): contribute --ignorefile plumbing to prowler-cloud/prowler
|
||||
# iac_provider.py so this shim isn't necessary.
|
||||
RUN printf '%s\n' \
|
||||
'#!/bin/sh' \
|
||||
'if [ "${1:-}" = "fs" ] && [ -n "${TRIVY_IGNOREFILE:-}" ] && [ -f "${TRIVY_IGNOREFILE}" ]; then' \
|
||||
' shift' \
|
||||
' exec /usr/local/bin/trivy.real fs --ignorefile "${TRIVY_IGNOREFILE}" "$@"' \
|
||||
'fi' \
|
||||
'exec /usr/local/bin/trivy.real "$@"' \
|
||||
> /usr/local/bin/trivy \
|
||||
&& chmod +x /usr/local/bin/trivy
|
||||
|
||||
RUN addgroup --gid 1000 prowler \
|
||||
&& adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \
|
||||
&& mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue