From 380c9abf38753a3257dfcea11df2ccb23a4bc282 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Mon, 15 Dec 2025 21:49:20 +0200
Subject: [PATCH] Add Trivy update reminder and ignore sensitive paths

---
 .trivyignore              |  5 +++++
 deploy/build.sh           | 15 ++++++++++++++-
 scripts/run-test-suite.sh |  6 +++++-
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..3ebad0d
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,5 @@
+creds/**
+reports/**
+*.pem
+*.key
+*.enc
diff --git a/deploy/build.sh b/deploy/build.sh
index da9418c..12a8ba2 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -33,8 +33,21 @@ echo "Done. Last image: $IMAGE"
 
 # Trivy image scan (if available)
 if command -v trivy >/dev/null 2>&1; then
+  MIN_TRIVY_VERSION="0.56.0"
+  INSTALLED_TRIVY_VERSION="$(trivy --version 2>/dev/null | head -n1 | awk '{print $2}')"
+  if [[ -n "$INSTALLED_TRIVY_VERSION" ]] && [[ "$(printf '%s\n%s\n' "$MIN_TRIVY_VERSION" "$INSTALLED_TRIVY_VERSION" | sort -V | head -n1)" != "$MIN_TRIVY_VERSION" ]]; then
+    echo "Trivy version $INSTALLED_TRIVY_VERSION is older than recommended $MIN_TRIVY_VERSION."
+    echo "Update recommended: brew upgrade trivy   # macOS"
+    echo "or:         sudo apt-get install -y trivy   # Debian/Ubuntu (Aqua repo)"
+    echo "or:         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin"
+  fi
+
   echo "Running Trivy scan on $IMAGE ..."
-  trivy image --exit-code 0 "$IMAGE" || true
+  TRIVY_IGNORE_ARGS=()
+  if [[ -f ".trivyignore" ]]; then
+    TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
+  fi
+  trivy image --exit-code 0 "${TRIVY_IGNORE_ARGS[@]}" "$IMAGE" || true
 else
   echo "Trivy not installed; skipping image scan."
 fi
diff --git a/scripts/run-test-suite.sh b/scripts/run-test-suite.sh
index 51db518..8a98fa5 100755
--- a/scripts/run-test-suite.sh
+++ b/scripts/run-test-suite.sh
@@ -190,7 +190,11 @@ TRIVY_MODE="${TRIVY_MODE:-fs}"
 if command -v trivy >/dev/null 2>&1; then
   log "Running Trivy (${TRIVY_MODE}) on ${TRIVY_TARGET}..."
   TRIVY_TXT="$RUN_DIR/trivy.txt"
-  if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "$TRIVY_TARGET" >"$TRIVY_TXT"; then
+  TRIVY_IGNORE_ARGS=()
+  if [ -f ".trivyignore" ]; then
+    TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
+  fi
+  if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "${TRIVY_IGNORE_ARGS[@]}" "$TRIVY_TARGET" >"$TRIVY_TXT"; then
     record_result "Trivy (${TRIVY_MODE})" "PASS" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}"
   else
     record_result "Trivy (${TRIVY_MODE})" "FAIL" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}"