diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..3ebad0d
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,5 @@
+creds/**
+reports/**
+*.pem
+*.key
+*.enc
diff --git a/deploy/build.sh b/deploy/build.sh
index da9418c..12a8ba2 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -33,8 +33,21 @@ echo "Done. Last image: $IMAGE"
# Trivy image scan (if available)
if command -v trivy >/dev/null 2>&1; then
+ MIN_TRIVY_VERSION="0.56.0"
+ INSTALLED_TRIVY_VERSION="$(trivy --version 2>/dev/null | head -n1 | awk '{print $2}')"
+ if [[ -n "$INSTALLED_TRIVY_VERSION" ]] && [[ "$(printf '%s\n%s\n' "$MIN_TRIVY_VERSION" "$INSTALLED_TRIVY_VERSION" | sort -V | head -n1)" != "$MIN_TRIVY_VERSION" ]]; then
+ echo "Trivy version $INSTALLED_TRIVY_VERSION is older than recommended $MIN_TRIVY_VERSION."
+ echo "Update recommended: brew upgrade trivy # macOS"
+ echo "or: sudo apt-get install -y trivy # Debian/Ubuntu (Aqua repo)"
+ echo "or: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin"
+ fi
+
echo "Running Trivy scan on $IMAGE ..."
- trivy image --exit-code 0 "$IMAGE" || true
+ TRIVY_IGNORE_ARGS=()
+ if [[ -f ".trivyignore" ]]; then
+ TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
+ fi
+ trivy image --exit-code 0 "${TRIVY_IGNORE_ARGS[@]}" "$IMAGE" || true
else
echo "Trivy not installed; skipping image scan."
fi
diff --git a/scripts/run-test-suite.sh b/scripts/run-test-suite.sh
index 51db518..8a98fa5 100755
--- a/scripts/run-test-suite.sh
+++ b/scripts/run-test-suite.sh
@@ -190,7 +190,11 @@ TRIVY_MODE="${TRIVY_MODE:-fs}"
if command -v trivy >/dev/null 2>&1; then
log "Running Trivy (${TRIVY_MODE}) on ${TRIVY_TARGET}..."
TRIVY_TXT="$RUN_DIR/trivy.txt"
- if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "$TRIVY_TARGET" >"$TRIVY_TXT"; then
+ TRIVY_IGNORE_ARGS=()
+ if [ -f ".trivyignore" ]; then
+ TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
+ fi
+ if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "${TRIVY_IGNORE_ARGS[@]}" "$TRIVY_TARGET" >"$TRIVY_TXT"; then
record_result "Trivy (${TRIVY_MODE})" "PASS" "report" "report: ${TRIVY_TXT}"
else
record_result "Trivy (${TRIVY_MODE})" "FAIL" "report" "report: ${TRIVY_TXT}"