Regression in YAML ignore file support in 0.68.1

[acdha]

Description

I noticed an interesting bug after updating to 0.68.1 which has been hard to reproduce. We have GitLab CI pipelines which run Trivy with TRIVY_IGNOREFILE set to .trivyignore.yaml. Both are running Trivy 0.68.1 but it works locally using ARM64 and fails remotely on x86.

In all cases, cat $TRIVY_IGNOREFILE produces the expected contents and in the local tests I was literally copy-and-pasting from the failing CI job's output into my local file to confirm that it worked.

What's interesting is that when it runs in the CI environment, it logs DEBUG Found an ignore file file_path="[MASKED]" before failing but when it works locally it logs DEBUG Found an ignore yaml file_path=".trivyignore.yaml". Since that file exists and there are no errors logged, this makes me wonder whether there's some kind of silent failure when loading it which causes it to see the YAML file as not containing any keys for ignored CVEs.

Desired Behavior

$ export TRIVY_IGNOREFILE=.trivyignore.yaml
$ cat > .trivyignore.yaml
vulnerabilities:
    - id: CVE-…
    - id: CVE-…
    - id: CVE-…
$ trivy repo --debug .
…
2025-12-04T17:14:51-05:00	DEBUG	[poetry] Scanning packages for vulnerabilities	file_path="poetry.lock"
2025-12-04T17:14:51-05:00	DEBUG	Found an ignore yaml	file_path=".trivyignore.yaml"
2025-12-04T17:14:51-05:00	DEBUG	Ignored	id="CVE-2024-40647" target="poetry.lock"
2025-12-04T17:14:51-05:00	DEBUG	Ignored	id="CVE-2023-28117" target="poetry.lock"
2025-12-04T17:14:51-05:00	DEBUG	[vex] VEX filtering is disabled

Actual Behavior

$ cat $TRIVY_IGNOREFILE
vulnerabilities:
    - id: CVE-…
    - id: CVE-…
    - id: CVE-…
$ trivy --version
Version: 0.68.1
$ TRIVY_QUIET=0 trivy repo --debug .
…
2025-12-04T22:03:42Z	DEBUG	[poetry] Scanning packages for vulnerabilities	file_path="poetry.lock"
2025-12-04T22:03:42Z	INFO	Detected config files	num=1
2025-12-04T22:03:42Z	DEBUG	Scanned config file	file_path="template.yaml"
2025-12-04T22:03:42Z	DEBUG	Found an ignore file	file_path="[MASKED]"
2025-12-04T22:03:42Z	DEBUG	[vex] VEX filtering is disabled
2025-12-04T22:03:42Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-29"

Reproduction Steps

TBD - even running locally with the same environmental variables does not fail so I'm trying to track down other environmental dependencies.

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

n/a

Operating System

aquasec/trivy container on Linux (fails) / native build passes MacOS Sonoma

Version

Version: 0.68.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Thanks for your report. I couldn't replicate it locally.

What is set in TRIVY_IGNOREFILE on GitLab? Since the condition is determined by whether the file extension is .yml or .yaml, it may not be correctly recognized if the file has a different extension.

2025-12-04T22:03:42Z DEBUG Found an ignore file file_path="[MASKED]"

Also, did you mask [MASKED] manually, or was it automatically done by GitLab?

[acdha]

I also can't replicate it locally, which is quite frustrating. The masking is done by GitLab but the declaration in the GitLab configuration sets a static value:

variables:
    TRIVY_IGNOREFILE: .trivyignore.yaml

I'll see about getting GitLab not to mask that but since there's no logic involved GitLab shouldn't be doing anything funny. What I'm trying to figure out is what changed since I hadn't edited the template for a while.