DEV Community

Cover image for Trivy Vulnerability Scans Adnvanced Filtering
Artem
Artem

Posted on

Trivy Vulnerability Scans Adnvanced Filtering

Hi there!

It's been a while since I posted anything, but it is all cause of the good reasons. The last 2 years were busy for me both at work and day-to-day.

Anyway, I just wanted to share the cool feature I discovered in Trivy that really sets it apart from all other OSS security scanners. I am talking about the advanced filtering, that is using Open Policy Agent and Rego scripts to make decisions on what should be ignored from the scan results. It is described in details in the Trivy's official documentation, and although it is an experimental feature, it has been around since older version of Trivy.

I want to wrap this short blog post, by sharing a Rego script allowing to filter the CVEs based on the grace period:

package trivy

import data.lib.trivy

default ignore = false

now_ns := time.now_ns()
days_7_ns = 7 * 24 * 60 * 60 * 1000000000
days_30_ns = 30 * 24 * 60 * 60 * 1000000000
days_90_ns = 90 * 24 * 60 * 60 * 1000000000
days_180_ns = 180 * 24 * 60 * 60 * 1000000000


published_date = d {
    d := input.PublishedDate
}

ignore {
    input.Severity == "CRITICAL"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_7_ns
}

ignore {
    input.Severity == "HIGH"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_30_ns
}

ignore {
    input.Severity == "MEDIUM"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_90_ns
}

ignore {
    input.Severity == "LOW"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_180_ns
}
Enter fullscreen mode Exit fullscreen mode

The following script queries the results of the scans and checks for severity and evaluates against the set grace policy.

It is really exciting to have this capability in the OSS, since normally you would have to pay for premium subscription to get a scanner use advanced filtering in the policies.

👋 While you are here

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay