Ignore a couple of warnings

mbaldessari · mbaldessari · commit 4441d139e766 · 2025-08-25T16:19:42.000+02:00
diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml
@@ -1,3 +1,4 @@
+# Ignores are in .trivyignore
 scan:
   scanners:
     - vuln
@@ -7,7 +8,3 @@ scan:
     - MEDIUM
     - CRITICAL
     - HIGH
-ignore:
-  # List of check IDs or vulnerability IDs to skip
-  # deployment in default namespace should set metadata.namespace to a non-default namespace. This is silly in argo
-  - AVD-KSV-0110 
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,7 @@
+AVD-KSV-0110 # Missing namespace is not needed with ArgoCD
+AVD-KSV-0020 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsUser' > 10000. Not needed on OCP
+AVD-KSV-0021 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsGroup' > 10000. Not needed on OCP
+AVD-KSV-0014 # Readonly root filesystem does not work with httpd ubi images
+AVD-KSV-0125 # Container apache in deployment hello-world (namespace: default) uses an image from an untrusted registry. registry.access.redhat.com is trusted
+
+
diff --git a/charts/all/config-demo/templates/config-demo-deployment.yaml b/charts/all/config-demo/templates/config-demo-deployment.yaml
@@ -20,13 +20,11 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 10001
-        runAsGroup: 10001
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
+        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
         #imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -53,15 +51,11 @@ spec:
             memory: 256Mi
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
+          readOnlyRootFilesystem: false
           runAsNonRoot: true
-          runAsUser: 10001
-          runAsGroup: 10001
           capabilities:
             drop:
             - ALL
-            add:
-            - NET_BIND_SERVICE
           seccompProfile:
             type: RuntimeDefault
         terminationMessagePath: /dev/termination-log
diff --git a/charts/all/hello-world/templates/hello-world-deployment.yaml b/charts/all/hello-world/templates/hello-world-deployment.yaml
@@ -19,13 +19,11 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 10001
-        runAsGroup: 10001
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi8/httpd-24:1-226
+        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
         #imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -49,17 +47,12 @@ spec:
             memory: 256Mi
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 10001
-          runAsGroup: 10001
+          seccompProfile:
+            type: RuntimeDefault
           capabilities:
             drop:
             - ALL
-            add:
-            - NET_BIND_SERVICE
-          seccompProfile:
-            type: RuntimeDefault
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         livenessProbe:
