Hi there!
It's been a while since I posted anything, but it is all cause of the good reasons. The last 2 years were busy for me both at work and day-to-day.
Anyway, I just wanted to share the cool feature I discovered in Trivy that really sets it apart from all other OSS security scanners. I am talking about the advanced filtering, that is using Open Policy Agent and Rego scripts to make decisions on what should be ignored from the scan results. It is described in details in the Trivy's official documentation, and although it is an experimental feature, it has been around since older version of Trivy.
I want to wrap this short blog post, by sharing a Rego script allowing to filter the CVEs based on the grace period:
package trivy
import data.lib.trivy
default ignore = false
now_ns := time.now_ns()
days_7_ns = 7 * 24 * 60 * 60 * 1000000000
days_30_ns = 30 * 24 * 60 * 60 * 1000000000
days_90_ns = 90 * 24 * 60 * 60 * 1000000000
days_180_ns = 180 * 24 * 60 * 60 * 1000000000
published_date = d {
d := input.PublishedDate
}
ignore {
input.Severity == "CRITICAL"
published_date_ns := time.parse_rfc3339_ns(published_date)
time_diff_ns = now_ns - published_date_ns
time_diff_ns < days_7_ns
}
ignore {
input.Severity == "HIGH"
published_date_ns := time.parse_rfc3339_ns(published_date)
time_diff_ns = now_ns - published_date_ns
time_diff_ns < days_30_ns
}
ignore {
input.Severity == "MEDIUM"
published_date_ns := time.parse_rfc3339_ns(published_date)
time_diff_ns = now_ns - published_date_ns
time_diff_ns < days_90_ns
}
ignore {
input.Severity == "LOW"
published_date_ns := time.parse_rfc3339_ns(published_date)
time_diff_ns = now_ns - published_date_ns
time_diff_ns < days_180_ns
}
The following script queries the results of the scans and checks for severity and evaluates against the set grace policy.
It is really exciting to have this capability in the OSS, since normally you would have to pay for premium subscription to get a scanner use advanced filtering in the policies.
Top comments (0)