scan-image: Merge global, family and image-specific allowed vulnerabilities#2387
scan-image: Merge global, family and image-specific allowed vulnerabilities#2387mnasiadka wants to merge 2 commits into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the generate_trivy_ignore function in tools/scan-images.sh to support image family-level allowed vulnerabilities, while also consolidating and sorting the output to .trivyignore. The review feedback recommends optimizing the family extraction using native Bash parameter expansion, cleaning up the quoting in the yq commands for better readability, and simplifying the file-writing logic by replacing the truncate-and-append approach with a direct redirect.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates the tools/scan-images.sh script to support image family-level allowed vulnerabilities in addition to global and image-specific ones, and refactors the .trivyignore generation to output sorted, unique values. The review feedback suggests a more idiomatic way to handle file redirection by replacing the redundant truncate step with a direct overwrite (>), and recommends adding a guard inside the loop to filter out empty or "null" values that might be returned by yq queries.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates the tools/scan-images.sh script to support vulnerability inheritance by introducing an image "family" concept (extracted from the image name) and fetching family-specific allowed vulnerabilities. It also refactors the .trivyignore generation to use a single sorted and deduplicated loop. The review feedback suggests optimizing the script to avoid redundant yq calls when the image name does not contain an underscore (meaning the family is identical to the image name).
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
mnasiadka
force-pushed
the
2026_1_scan_image
branch
from
14ce44b to
7e7a90f
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates tools/scan-images.sh to support image family-level allowed vulnerabilities by extracting the family prefix from the image name and merging global, family, and image-specific vulnerabilities. Feedback on this PR highlights a critical issue where using >> instead of > to write to .trivyignore causes vulnerability leakage across images, as the file is no longer cleared before processing each image.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
mnasiadka
force-pushed
the
2026_1_scan_image
branch
from
7e7a90f to
dd58c89
Compare
1 participant
No description provided.