[ENGPROD-6654] Ignore policies from a folder

[dstrelbytskyi]

Description

Adjusted the --ignore-policy option to also support reading the *.rego policies files from a folder.

> trivy image -h
...
Report Flags
  ...
  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
      --ignore-policy string       specify the Rego file path (or dir path with Rego files) to evaluate each vulnerability
  ...

The change is backward compatible. As usual, the --ignore-policy ignore.rego option can be used.
If the option value is a filesystem directory it will recursively search for *.rego files in it and apply each found one to the scan results.

> ./trivy image --ignore-policy /path/to/folder/with/regos image_to_scan

Related issues

• Close #XXX

Related PRs

• #XXX
• #YYY

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[dstrelbytskyi]

So just subsequently exec this function for each target ignore rego file (either specified or found in the folder if the input value is the dir path) in the loop below.

[carsongee]

Nice, I just had some output recommendations, but the approach looks good to me!

[carsongee]

I think I'd like debug output to show which policy files it found when --debug is used so I can verify it is seeing the policy files I think it should load (or not)

[dstrelbytskyi]

That makes sense. And I was using exactly that debug logging during development 😄
The only inconvenience is that the ignore policies are loaded and applied for every result filtration.
So, I've added the logging of what result is being filtered and then the applied policies.

...
2024-02-15T13:51:33.946+0200	INFO	Detecting pip vulnerabilities...
2024-02-15T13:51:33.946+0200	DEBUG	Detecting library vulnerabilities, type: pip, path: requirements.txt
2024-02-15T13:51:33.949+0200	DEBUG	Detecting library vulnerabilities, type: pip, path: api_client/requirements.txt
2024-02-15T13:51:33.949+0200	DEBUG	Detecting library vulnerabilities, type: pip, path: dbt/requirements.txt
2024-02-15T13:51:33.949+0200	DEBUG	Detecting library vulnerabilities, type: npm, path: engprod/package-lock.json
2024-02-15T13:51:33.951+0200	DEBUG	Detecting library vulnerabilities, type: pip, path: misc/monitoring/searchblox/requirements.txt
--- NEW ---
2024-02-15T13:51:33.968+0200	DEBUG	Filtering result with ignore policies, type: pom, path: node_modules/serverless/docs/providers/openwhisk/examples/hello-world/java/pom.xml
2024-02-15T13:51:33.968+0200	DEBUG	Applying ignore policy: engprod/only_package.rego
2024-02-15T13:51:33.970+0200	DEBUG	Applying ignore policy: engprod/subdir/flask.rego
2024-02-15T13:51:33.972+0200	DEBUG	Filtering result with ignore policies, type: pom, path: node_modules/serverless/lib/plugins/aws/invoke-local/runtime-wrappers/java/pom.xml
2024-02-15T13:51:33.972+0200	DEBUG	Applying ignore policy: engprod/only_package.rego
2024-02-15T13:51:33.973+0200	DEBUG	Applying ignore policy: engprod/subdir/flask.rego
2024-02-15T13:51:33.974+0200	DEBUG	Filtering result with ignore policies, type: npm, path: package-lock.json
2024-02-15T13:51:33.974+0200	DEBUG	Applying ignore policy: engprod/only_package.rego
2024-02-15T13:51:33.975+0200	DEBUG	Applying ignore policy: engprod/subdir/flask.rego
2024-02-15T13:51:33.976+0200	DEBUG	Filtering result with ignore policies, type: pip, path: requirements.txt
2024-02-15T13:51:33.976+0200	DEBUG	Applying ignore policy: engprod/only_package.rego
2024-02-15T13:51:33.977+0200	DEBUG	Applying ignore policy: engprod/subdir/flask.rego