chore: only add .trivyignore in command if present

ReuDa · ReuDa · commit cf499b49388c · 2026-01-29T12:55:15.000+01:00
diff --git a/.github/workflows/reusable-cve-scan.yml b/.github/workflows/reusable-cve-scan.yml
@@ -78,9 +78,15 @@ jobs:
         id: image
         run: echo "name=${{ inputs.image_name || github.repository }}" >> $GITHUB_OUTPUT
 
-      - name: Create ignore file for Trivy if not present
+      - name: Check trivy ignore file
+        id: ignorefile
         run: |
-          test -f .trivyignore.yml || touch .trivyignore.yml
+          if [ -f .trivyignore.yml ]; then
+            echo "param=--ignorefile .trivyignore.yml" >> $GITHUB_OUTPUT
+          else
+            touch .trivyignore.yml
+            echo "param=" >> $GITHUB_OUTPUT
+          fi
 
       - name: Run Trivy
         uses: aquasecurity/trivy-action@0.33.1 # NOSONAR githubactions:S7637 - verified action creator
@@ -167,14 +173,10 @@ jobs:
           INPUT_IMAGE_REPOSITORY: ${{ inputs.image_repository }}
           INPUT_SEVERITIES: ${{ inputs.severities }}
         run: |
-          IGNOREFILE_FLAG=""
-          if [ -f ".trivyignore.yml" ]; then
-            IGNOREFILE_FLAG="--ignorefile .trivyignore.yml"
-          fi
           echo "## 🛠️ To verify the scan results locally, run the following command from the extensions directory:" >> $GITHUB_STEP_SUMMARY
           echo '```bash' >> $GITHUB_STEP_SUMMARY
           echo "docker pull $INPUT_IMAGE_REPOSITORY/${{ steps.image.outputs.name }}:$INPUT_IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
-          echo "trivy image --severity $INPUT_SEVERITIES ${IGNOREFILE_FLAG} --format table --show-suppressed $INPUT_IMAGE_REPOSITORY/${{ steps.image.outputs.name }}:$INPUT_IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          echo "trivy image --severity $INPUT_SEVERITIES ${{ steps.ignorefile.outputs.param }} --format table --show-suppressed $INPUT_IMAGE_REPOSITORY/${{ steps.image.outputs.name }}:$INPUT_IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
       - name: Add hint for local verification (fs)
@@ -183,16 +185,12 @@ jobs:
           INPUT_SEVERITIES: ${{ inputs.severities }}
           INPUT_CHECKOUT_REF: ${{ inputs.checkout_ref }}
         run: |
-          IGNOREFILE_FLAG=""
-          if [ -f ".trivyignore.yml" ]; then
-            IGNOREFILE_FLAG="--ignorefile .trivyignore.yml"
-          fi
           echo "## 🛠️ To verify the scan results locally, run the following command from the extensions directory:" >> $GITHUB_STEP_SUMMARY
           echo '```bash' >> $GITHUB_STEP_SUMMARY
           if [ -n "$INPUT_CHECKOUT_REF" ]; then
             echo "git checkout $INPUT_CHECKOUT_REF && git pull" >> $GITHUB_STEP_SUMMARY
           fi
-          echo "trivy fs --severity $INPUT_SEVERITIES ${IGNOREFILE_FLAG} --format table --show-suppressed ." >> $GITHUB_STEP_SUMMARY
+          echo "trivy fs --severity $INPUT_SEVERITIES ${{ steps.ignorefile.outputs.param }} --format table --show-suppressed ." >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
       - name: Convert Trivy JSON to SARIF
