When an oci-factory’s test_vulnerabilities workflow fails (example), it uploads an artifact as part of the workflow, which happens to be a *.json.zip file.
In this write-up I’ll go through an example for grafana-agent (oci-factory).
Find out which CVEs trivy is complaining about
Using nushell (snap), you can process the json report in a pipeline that reminds jq:
open grafana-agent_ee369e3e388ce45e5e5e75b457e40cf6ade828bc_0.44.6.vulnerability-report.json
| get scanner.result.Results
| where {|x| "Vulnerabilities" in ($x | columns)}
| get Vulnerabilities
| flatten
| select Severity VulnerabilityID PkgName InstalledVersion FixedVersion
| uniq-by VulnerabilityID
| sort-by VulnerabilityID
The above command produced the following table:
╭───┬──────────┬─────────────────┬────────────────────────────────┬──────────────────┬──────────────────────────╮
│ # │ Severity │ VulnerabilityID │ PkgName │ InstalledVersion │ FixedVersion │
├───┼──────────┼─────────────────┼────────────────────────────────┼──────────────────┼──────────────────────────┤
│ 0 │ HIGH │ CVE-2025-22868 │ golang.org/x/oauth2 │ v0.26.0 │ 0.27.0 │
│ 1 │ HIGH │ CVE-2025-31133 │ github.com/opencontainers/runc │ v1.1.14 │ 1.2.8, 1.3.3, 1.4.0-rc.3 │
│ 2 │ HIGH │ CVE-2025-52565 │ github.com/opencontainers/runc │ v1.1.14 │ 1.2.8, 1.3.3, 1.4.0-rc.3 │
│ 3 │ HIGH │ CVE-2025-52881 │ github.com/opencontainers/runc │ v1.1.14 │ 1.2.8, 1.3.3, 1.4.0-rc.3 │
│ 4 │ HIGH │ CVE-2025-68156 │ github.com/expr-lang/expr │ v1.17.0 │ 1.17.7 │
╰───┴──────────┴─────────────────┴────────────────────────────────┴──────────────────┴──────────────────────────╯
Ok, next we’ll need to check which ones are false-positive.
Grab the workload and run govulncheck
$ git clone https://github.com/grafana/agent --depth=1 --branch=v0.44.6
$ cd agent
$ sudo snap install govulncheck
$ govulncheck
No vulnerabilities found.
Great, all of the above are false positives.
Update oci/grafana-agent/.trivyignore
With a similar nushell pipeline we can generate the format expected for the .trivyignore file:
open grafana-agent_ee369e3e388ce45e5e5e75b457e40cf6ade828bc_0.44.6.vulnerability-report.json
| get scanner.result.Results
| where {|x| "Vulnerabilities" in ($x | columns)}
| get Vulnerabilities
| flatten
| select VulnerabilityID PkgName Title
| uniq-by VulnerabilityID
| sort-by VulnerabilityID
| each {|r| print $'# ($r.PkgName) - ($r.Title)'; print ($r.VulnerabilityID)}
which outputs:
# golang.org/x/oauth2 - golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
CVE-2025-22868
# github.com/opencontainers/runc - runc: container escape via 'masked path' abuse due to mount race conditions
CVE-2025-31133
# github.com/opencontainers/runc - runc: container escape with malicious config due to /dev/console mount and related races
CVE-2025-52565
# github.com/opencontainers/runc - runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects
CVE-2025-52881
# github.com/expr-lang/expr - github.com/expr-lang/expr: Expr: Denial of Service via uncontrolled recursion in expression evaluation
CVE-2025-68156