Skip to content

Commit 4441d13

Browse files
committed
Ignore a couple of warnings
1 parent 29b1a3a commit 4441d13

File tree

4 files changed

+13
-22
lines changed

4 files changed

+13
-22
lines changed

.github/linters/trivy.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
# Ignores are in .trivyignore
12
scan:
23
scanners:
34
- vuln
@@ -7,7 +8,3 @@ scan:
78
- MEDIUM
89
- CRITICAL
910
- HIGH
10-
ignore:
11-
# List of check IDs or vulnerability IDs to skip
12-
# deployment in default namespace should set metadata.namespace to a non-default namespace. This is silly in argo
13-
- AVD-KSV-0110

.trivyignore

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
AVD-KSV-0110 # Missing namespace is not needed with ArgoCD
2+
AVD-KSV-0020 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsUser' > 10000. Not needed on OCP
3+
AVD-KSV-0021 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsGroup' > 10000. Not needed on OCP
4+
AVD-KSV-0014 # Readonly root filesystem does not work with httpd ubi images
5+
AVD-KSV-0125 # Container apache in deployment hello-world (namespace: default) uses an image from an untrusted registry. registry.access.redhat.com is trusted
6+
7+

charts/all/config-demo/templates/config-demo-deployment.yaml

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,11 @@ spec:
2020
spec:
2121
securityContext:
2222
runAsNonRoot: true
23-
runAsUser: 10001
24-
runAsGroup: 10001
2523
seccompProfile:
2624
type: RuntimeDefault
2725
containers:
2826
- name: apache
29-
image: registry.access.redhat.com/ubi8/httpd-24:1-226
27+
image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
3028
#imagePullPolicy: Always
3129
ports:
3230
- containerPort: 8080
@@ -53,15 +51,11 @@ spec:
5351
memory: 256Mi
5452
securityContext:
5553
allowPrivilegeEscalation: false
56-
readOnlyRootFilesystem: true
54+
readOnlyRootFilesystem: false
5755
runAsNonRoot: true
58-
runAsUser: 10001
59-
runAsGroup: 10001
6056
capabilities:
6157
drop:
6258
- ALL
63-
add:
64-
- NET_BIND_SERVICE
6559
seccompProfile:
6660
type: RuntimeDefault
6761
terminationMessagePath: /dev/termination-log

charts/all/hello-world/templates/hello-world-deployment.yaml

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,11 @@ spec:
1919
spec:
2020
securityContext:
2121
runAsNonRoot: true
22-
runAsUser: 10001
23-
runAsGroup: 10001
2422
seccompProfile:
2523
type: RuntimeDefault
2624
containers:
2725
- name: apache
28-
image: registry.access.redhat.com/ubi8/httpd-24:1-226
26+
image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
2927
#imagePullPolicy: Always
3028
ports:
3129
- containerPort: 8080
@@ -49,17 +47,12 @@ spec:
4947
memory: 256Mi
5048
securityContext:
5149
allowPrivilegeEscalation: false
52-
readOnlyRootFilesystem: true
5350
runAsNonRoot: true
54-
runAsUser: 10001
55-
runAsGroup: 10001
51+
seccompProfile:
52+
type: RuntimeDefault
5653
capabilities:
5754
drop:
5855
- ALL
59-
add:
60-
- NET_BIND_SERVICE
61-
seccompProfile:
62-
type: RuntimeDefault
6356
terminationMessagePath: /dev/termination-log
6457
terminationMessagePolicy: File
6558
livenessProbe:

0 commit comments

Comments
 (0)