Container Scanning: Identify if a finding is fixable
### Engineering DRI @ifrenkel ## Problem to Solve Some of the vulnerabilities identified by container scanning cannot be fixed because vendors have not released patches. In these cases, teams may wish to hide/ignore those vulnerabilities because they are not actionable and just create noise until vendors make those patches available. ## Overview Give users the ability to filter out container scanning vulnerabilities that don't have a fix. Trivy, as of v4.4.0, added an --ignore-status flag which can be used to implement this filtering, it is currently the only scanner which respects this flag. ## Intended Users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/product/personas/#sasha-software-developer) * [Dakota (Application Development Director)](https://about.gitlab.com/handbook/product/personas/#dakota-application-development-director) * [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer) ### Must Have * Trivy support * CI variable `CS_IGNORE_UNFIXED` ### Could Have * Visual indicator on the Vulnerability Report, which allows users to filter out any container scanning results that are not fixable. * Security policies adds a filter so that customers may opt to create rules that block MRs for high severity vulnerabilities, but which allow those MRs whenever a fix is not available. ### Not in Scope * Grype support. This will be added once Grype adds this capability. @jhebden [opened a PR to move that forward](https://github.com/anchore/grype/pull/1473). <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic