-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.trivyignore
More file actions
27 lines (25 loc) · 1.04 KB
/
.trivyignore
File metadata and controls
27 lines (25 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Trivy Ignore File
# Exclude false positive vulnerabilities from security scans
#
# NOTE: We use scanners:'vuln' in CI workflows to skip secret scanning entirely.
# Test certificates (.pem, .key files) are not scanned for secrets in CI.
#
# This file is used for ignoring specific CVEs that are false positives.
#
# Format:
# CVE-ID [exp:YYYY-MM-DD] [# comment]
#
# Examples:
# CVE-2024-12345 # False positive - not applicable to our usage
# CVE-2024-67890 exp:2025-12-31 # Temporary ignore until vendor fixes
#
# Add specific CVE ignores below with reasons:
# Ruby gem vulnerabilities in js-xdr/Gemfile.lock
# Source: @bitgo-beta/sdk-coin-algo -> stellar-sdk@10.4.1 -> stellar-base -> js-xdr@1.3.0
# Reason: Ruby gems are not executed in Node.js runtime, false positive
# These are packaged Ruby files for Ruby bindings/testing, not used in JavaScript
CVE-2020-8165 # rubygem-activesupport 4.2.1
CVE-2023-22796 # rubygem-activesupport 4.2.1
CVE-2014-10077 # rubygem-i18n 0.7.0
CVE-2020-10663 # rubygem-json 1.8.2
CVE-2022-31163 # rubygem-tzinfo 1.2.2