npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

trivy-ignore-check

v1.2.1

Published

Check a .trivyignore file for unneeded entries.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gflohrgflohr

Keywords

trivycipipelinevulnerability scanning

Readme

licence price coverage downloads stand with

Trivy Ignore Check

Keep your .trivyignore files clean.

Description

Trivy is a popular vulnerability scanner. It allows you to specify a list of vulnerabilities by id that should suppressed. By default, Trivy reads this list from a .trivyignore file in the current directory.

These files can grow indefinitely because Trivy does not report vulnerabilities listed in the ignore file that are no longer present in the scan results.

This is where this tool comes in. It takes a vulnerability scanning report and checks it against a .trivyignore file. Unnecessary entries are printed to the console.

Why

It is good practice to keep the trivyignore short. Not only because it is generally a bad idea to ignore vulnerabilities. But also, because ignoring vulnerabilities that no longer exist can clutter your view of real security risks.

Dependencies

You need a recent version of Node.js.

Apart from that, the tool has zero runtime dependencies.

Installation

This tool is meant to be run inside of a CI/CD pipeline, and there is normally no need to install it, as long as node is present. One of the following invocations will work:

npx trivy-ignore-check
npm exec trivy-ignore-check
pnpm dlx trivy-ignore-check
yarn dlx trivy-ignore-check
bunx trivy-ignore-check

If you can't help, install it globally on your machine with one of the following commands:

npm install -g trivy-ignore-check
pnpm add -g trivy-ignore-check
yarn global add trivy-ignore-check
bun add -g trivy-ignore-check

You may need to prepend sudo if you need root privileges in Un*x environments.

Usage

You invoke the tool like this:

npx trivy-ignore-check .trivyignore trivy-findings-1.json trivy-findings-2.json

Replace .trivyignore with your Trivy ignore file path, and trivy-findings.json with the path to a Trivy scan report in JSON format. If you omit the path to the findings file, standard input is read instead:

npx trivy-ignore-check .trivyignore

In this case, you can only use one scan report.

Running the Trivy Scan

You can invoke trivy any way you like, but you will normally have to invoke without or with an empty .trivyignore file (try /dev/null). Otherwise trivy-ignore-check will report all entries in the ignore file as unnecessary.

You cannot run trivywith the experimental option --show-suppressed. The output format will not be recognised. That may change, once the option --show-suppressed is no longer experimental.

Pipeline Integration

The tool terminates with exit code 0 (success) if no unnecessary ignore entries have been found or 2 if there were such entries. Every other error code means that the tool has failed for some other reason. It is probably a good idea to make these failures non-fatal, and let the pipeline continue with a warning.

The tool does not make an attempt to patch the .trivyignore file, leave alone create a pull request. The structure of the .trivyignore file can differ significantly between organisations and projects, and the file is security relevant. If you want to automate the clean-up of the ignore file, implement an approach that fits your needs yourself. It will be simple with the output of trivy-ignore-check.

GitHub Actions

In GitHub Actions, you can add a job like this:

jobs:
  trivy-ignore-check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Install latest Trivy. Replace "latest" with something like "v0.69.1" to
      # lock the version.
      - name: Install Trivy
        uses: aquasecurity/[email protected]
        with:
          version: latest

      - name: Scan first image
        run: |
          set -euo pipefail
          trivy image --quiet --ignorefile /dev/null \
            --severity HIGH,CRITICAL --format json my-image-1:latest \
            > report-1.json

      - name: Scan second image
        run: |
          set -euo pipefail
          trivy image --quiet --ignorefile /dev/null \
            --severity HIGH,CRITICAL --format json my-image-2:latest \
            > report-2.json

      - name: Check for unnecessary .trivyignore entries
        run: |
          set -euo pipefail
          npx --yes trivy-ignore-check .trivyignore report-1.json report-2.json
        continue-on-error: true

If you only scan a single image, you can pipe the output directly:

      - name: Scan and check ignore file
        run: |
          set -euo pipefail
          trivy image --quiet --ignorefile /dev/null \
            --severity HIGH,CRITICAL --format json my-image:latest \
            | npx --yes trivy-ignore-check .trivyignore
        continue-on-error: true

Azure DevOps

In Azure DevOps, you will typically add something like this to your pipeline:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- checkout: self
  displayName: 'Checkout repository'

# Install latest Trivy. Replace "latest" with something like "v0.69.1" to
# lock the version.
- script: |
    set -euo pipefail
    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin latest
  displayName: 'Install Trivy'

# Install Node.js (required for npx).
- task: NodeTool@0
  inputs:
    versionSpec: '22.x'
  displayName: 'Install Node.js'

- script: |
    set -euo pipefail
    npm ci
  displayName: 'Install dependencies'

- script: |
    set -euo pipefail
    trivy image --quiet --ignorefile /dev/null \
      --severity HIGH,CRITICAL --format json my-image-1:latest \
      > report-1.json
  displayName: 'Trivy scan image 1'

- script: |
    set -euo pipefail
    trivy image --quiet --ignorefile /dev/null \
      --severity HIGH,CRITICAL --format json my-image-2:latest \
      > report-2.json
  displayName: 'Trivy scan image 2'

- script: |
    set -euo pipefail
    npx --yes trivy-ignore-check .trivyignore report-1.json report-2.json
  displayName: 'Find unneeded .trivyignore entries'
  continueOnError: true

If you perform only one scan, you can combine it into a single step:

- script: |
    set -euo pipefail
    trivy image --quiet --ignorefile /dev/null \
      --severity HIGH,CRITICAL --format json my-image:latest \
      | npx --yes trivy-ignore-check .trivyignore
  displayName: 'Find unneeded .trivyignore entries'
  continueOnError: true

Reporting Bugs

Please report bugs at https://github.com/gflohr/trivy-ignore-check/issues.

Copyright

Copyright (C) 2026 Guido Flohr [email protected], all rights reserved.

This is free software available under the terms of the WTFPL.

Disclaimer

This free software has been written with the greatest possible care, but like all software it may contain errors. Use at your own risk! There is no warranty and no liability.