# Trivy Ignore File
# Use this to suppress specific CVEs that are false positives or accepted risks
# Format: One CVE ID per line, with optional comment explaining why it's ignored
#
# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/

# ══════════════════════════════════════════════════════════════════════════
# Example: Ignored CVEs (remove these examples and add your own)
# ══════════════════════════════════════════════════════════════════════════

# CVE-2023-XXXXX - Example: Known false positive in test dependency
# Only affects development environment, not production

# CVE-2024-YYYYY - Example: Vulnerability in optional feature we don't use
# Our code doesn't use the affected module/function

# ══════════════════════════════════════════════════════════════════════════
# INSTRUCTIONS
# ══════════════════════════════════════════════════════════════════════════
# 1. Run Trivy and review findings
# 2. For each CVE you want to ignore:
#    a. Research the CVE thoroughly (NVD, vendor advisory)
#    b. Verify it's actually a false positive or accepted risk
#    c. Document WHY you're ignoring it (comment above the CVE line)
#    d. Add expiration date if temporary (e.g., "# Expires: 2025-03-01")
# 3. Review this file quarterly - remove stale ignores
# 4. Never ignore CRITICAL severity without security team approval
#
# Example workflow:
#   $ trivy fs . --severity CRITICAL,HIGH
#   # Review output, decide CVE-2024-12345 is false positive
#   # Add to this file:
#   # CVE-2024-12345 - False positive: affects Windows only, we deploy on Linux
#
# ══════════════════════════════════════════════════════════════════════════
# COMMON FALSE POSITIVES (examples - verify for your case)
# ══════════════════════════════════════════════════════════════════════════

# Python test dependencies (pytest, coverage, etc.) - LOW priority
# Usually safe to ignore unless running tests in production

# Documentation tools (Sphinx, mkdocs) - LOW priority
# Only used during doc generation, not in runtime

# Development linters/formatters (black, ruff, mypy) - LOW priority
# Not included in production deployments

# ══════════════════════════════════════════════════════════════════════════
# ACTUAL IGNORES START HERE (add your CVEs below)
# ══════════════════════════════════════════════════════════════════════════

# (none yet - add as needed)
