[ENGPROD-6654] Ignore policies from a folder

pkg/flag/report_flags.go

@@ -66,7 +66,7 @@ var (
 		Name:       "ignore-policy",
 		ConfigName: "ignore-policy",
 		Default:    "",
-		Usage:      "specify the Rego file path to evaluate each vulnerability",
+		Usage:      "specify the Rego file path (or dir path with Rego files) to evaluate each vulnerability",
 	}
 	ExitCodeFlag = Flag{
 		Name:       "exit-code",

pkg/result/filter.go

@@ -3,9 +3,12 @@
 import (
 	"context"
 	"fmt"
+	"io/fs"
 	"os"
+	"path/filepath"
 	"sort"
 
+	"github.com/open-policy-agent/opa/bundle"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/samber/lo"
 	"golang.org/x/exp/maps"
@@ -14,6 +17,7 @@
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vex"
 )
@@ -66,14 +70,37 @@
 	filteredLicenses := filterLicenses(result.Licenses, severities, opt.IgnoreLicenses, ignoreConf.Licenses)
 
 	var ignoredMisconfs int
-	if opt.PolicyFile != "" {
+	if opt.PolicyFile != "" && len(filteredVulns)+len(filteredMisconfs)+len(filteredSecrets)+len(filteredLicenses) > 0 {
+		log.Logger.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
 		var err error
 		var ignored int
-		filteredVulns, filteredMisconfs, ignored, filteredSecrets, filteredLicenses, err = applyPolicy(ctx, filteredVulns, filteredMisconfs, filteredSecrets, filteredLicenses, opt.PolicyFile)
+
+		// If the PolicyFile option is a dir find and apply rego files in it
+		var policyFiles []string
+		fi, err := os.Stat(opt.PolicyFile)
 		if err != nil {
-			return xerrors.Errorf("failed to apply the policy: %w", err)
+			return xerrors.Errorf("failed to analyze ignore policy %s: %w", opt.PolicyFile, err)
+		}
+		if fi.IsDir() {
+			policyFiles, err = findPolicyFiles(opt.PolicyFile)
+			if err != nil {
+				return xerrors.Errorf("failed to find policy files in %s: %w", opt.PolicyFile, err)
+			}
+			if len(policyFiles) == 0 {
+				log.Logger.Warnf("No ignore policies found in %s", opt.PolicyFile)
+			}
+		} else {
+			policyFiles = append(policyFiles, opt.PolicyFile)
+		}
+
+		for _, policyFile := range policyFiles {
+			log.Logger.Debugf("Applying ignore policy: %s", policyFile)
+			filteredVulns, filteredMisconfs, ignored, filteredSecrets, filteredLicenses, err = applyPolicy(ctx, filteredVulns, filteredMisconfs, filteredSecrets, filteredLicenses, policyFile)
+			if err != nil {
+				return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
+			}
+			ignoredMisconfs += ignored
 		}
-		ignoredMisconfs += ignored
 	}
 	sort.Sort(types.BySeverity(filteredVulns))
 
@@ -223,7 +250,25 @@
 	}
 }
 
+func findPolicyFiles(policiesDir string) ([]string, error) {
+	var files []string
+	err := filepath.WalkDir(policiesDir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && filepath.Ext(path) == bundle.RegoExt {
+			files = append(files, path)
+		}
+		return nil
+	})
+	if err != nil {
+		return files, xerrors.Errorf("walk error %w", err)
+	}
+
+	return files, nil
+}
+
 func applyPolicy(ctx context.Context, vulns []types.DetectedVulnerability, misconfs []types.DetectedMisconfiguration, scrts []ftypes.SecretFinding, lics []types.DetectedLicense,
 	policyFile string) ([]types.DetectedVulnerability, []types.DetectedMisconfiguration, int, []ftypes.SecretFinding, []types.DetectedLicense, error) {
 	policy, err := os.ReadFile(policyFile)
 	if err != nil {