Trivy ".trivyignore not honored" (CVEs still fail) in CI
Trivy only reads .trivyignore from the current working directory by default. If CI runs the scan from another path, or the file lists entries in a format Trivy does not parse, the CVEs are not suppressed and the gate keeps failing.
What this error means
A CVE you added to .trivyignore still appears in the results table and still trips --exit-code 1, as if the ignore file were absent.
Total: 1 (HIGH: 0, CRITICAL: 1)
# CVE-2024-XXXX is listed in .trivyignore but still reported
| libssl3 | CVE-2024-XXXX | CRITICAL | 3.0.11-1 | 3.0.13-1 |
Error: Process completed with exit code 1.Common causes
The scan runs from a directory without the ignore file
Trivy looks for .trivyignore in the working directory. If the step runs from a subfolder or a different checkout path, it never sees the file.
Wrong format or a trailing comment on the ID line
Each line must be a bare CVE/vulnerability ID (comments on their own lines). An inline comment or an expiry syntax the version does not support means the entry is not matched.
How to fix it
Point Trivy at the ignore file explicitly
- Place
.trivyignoreat the repo root or pass its path. - Use
--ignorefileso the location does not depend on the working directory. - Re-run and confirm the listed CVE drops out of the table.
trivy image --ignorefile .trivyignore \
--exit-code 1 --severity HIGH,CRITICAL myimage:latestUse one ID per line with comments above
Keep each vulnerability ID on its own line. For expiry-aware suppression, use the .trivyignore.yaml policy format supported by current Trivy.
# .trivyignore.yaml
vulnerabilities:
- id: CVE-2024-XXXX
expired_at: 2026-09-01How to prevent it
- Keep the ignore file at the repo root and pass --ignorefile.
- Prefer the YAML policy format so suppressions carry an expiry.
- Review the allowlist regularly so stale suppressions do not linger.