DEV Community

Cover image for Trivy Vulnerability Scans Adnvanced Filtering
Artem
Artem

Posted on

Trivy Vulnerability Scans Adnvanced Filtering

Hi there!

It's been a while since I posted anything, but it is all cause of the good reasons. The last 2 years were busy for me both at work and day-to-day.

Anyway, I just wanted to share the cool feature I discovered in Trivy that really sets it apart from all other OSS security scanners. I am talking about the advanced filtering, that is using Open Policy Agent and Rego scripts to make decisions on what should be ignored from the scan results. It is described in details in the Trivy's official documentation, and although it is an experimental feature, it has been around since older version of Trivy.

I want to wrap this short blog post, by sharing a Rego script allowing to filter the CVEs based on the grace period:

package trivy

import data.lib.trivy

default ignore = false

now_ns := time.now_ns()
days_7_ns = 7 * 24 * 60 * 60 * 1000000000
days_30_ns = 30 * 24 * 60 * 60 * 1000000000
days_90_ns = 90 * 24 * 60 * 60 * 1000000000
days_180_ns = 180 * 24 * 60 * 60 * 1000000000


published_date = d {
    d := input.PublishedDate
}

ignore {
    input.Severity == "CRITICAL"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_7_ns
}

ignore {
    input.Severity == "HIGH"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_30_ns
}

ignore {
    input.Severity == "MEDIUM"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_90_ns
}

ignore {
    input.Severity == "LOW"
    published_date_ns := time.parse_rfc3339_ns(published_date)
    time_diff_ns = now_ns - published_date_ns
    time_diff_ns < days_180_ns
}
Enter fullscreen mode Exit fullscreen mode

The following script queries the results of the scans and checks for severity and evaluates against the set grace policy.

It is really exciting to have this capability in the OSS, since normally you would have to pay for premium subscription to get a scanner use advanced filtering in the policies.

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →