osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Multiple --config args

Open jayvdb opened this issue 3 months ago • 4 comments

osv-scanner allows multiple --config args, and as best I can tell the earlier config files are ignored and only the last --config is used.

I have two use cases where our processes would benefit from multiple config files being specified by --config.

We run osv-scanner as part of Rust build steps, using --lockfile Cargo.lock at the top level directory of the workspace. The config for these needs to ignore several RUSTSEC vulns that are unfixable.

The Rust binaries are built using cargo-auditable.

Later in the CI, we also put the Rust binaries on docker images, and extract a SBOM of the image using syft. These SBOMs therefore contain Ubuntu binaries that have CVEs and Rust binaries which have RUSTSEC's. We then run osv-scanner on those SBOMs. It would be useful to have the Ubuntu CVE ignores in a separate config file. There is no sensible way to use subdirectory based multiple osv-scanner.toml files to split them, as both Ubuntu and Rust sets are at the top level of the repo. (no creating a docker/.. wont work, trust me)

The more important use case is we have a repo which builds two images, one is the production base docker image, and the second image is the build image which is the production base docker image + the tools needed to build Rust binaries that are put onto the production base docker image. The CVE ignores for the production base docker image need to be approved by the Engineering Manager , while the CVEs on only the build image are important to track, but do not need approval from the Engineering Manager. As a result,, we currently have two config files, one for prod and the other for build image, and the build image config includes all the entries in the prod config file. This is so that it is clear that touching the prod ignore list results in a different approval process. It would be useful for the build image SBOM check to use two non-overlapping config files: the prod config file and the build image config file.

jayvdb avatar Aug 26 '25 12:08 jayvdb

Apologies for the late reply!

We had a discussion about this and the conclusion is this feels like something that can be done with an external script to combine config files before running osv-scanner so we probably don't want to bloat the scanner itself with this functionality.

another-rex avatar Oct 02 '25 00:10 another-rex

Ok, makes sense.

Then should osv-scanner error if given multiple --config values?

jayvdb avatar Oct 05 '25 00:10 jayvdb

Hmm I think this is the default for the cli library we are using. The reasoning I believe for this is if you are writing a script and want to append a config, you can just put it at the end of the script to override the defaults specified in the script.

E.g.

#!/bin/sh
# osv-scanner-preset.sh

osv-scanner --some --preset --flags --config=abcd.toml $@

---

./osv-scanner-preset.sh --config=overridepath.toml

another-rex avatar Oct 07 '25 04:10 another-rex

A security tool silently ignoring CLI args feels very wrong.

jayvdb avatar Oct 08 '25 22:10 jayvdb