feat(report): support OPA to filter vulnerabilities (#562)

* feat(cli): add --filter option

* feat(opa): support OPA

* test(opa): add a test case with OPA

* test: update a mock

* chore(mod): update dependencies

* chore(filter): add example Rego files

* chore(README): update

* chore(rego): apply opa fmt

* refactor: replace filter with policy

* chore(policy): update rego files

* fix(vulnerability): evaluate each vulnerability

* chore(README): update

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* chore(README): update a TOC link

* fix: replace allow with ignore

* chore(README): update

Co-authored-by: Itay Shakury <itay@itaysk.com>

README.md

@@ -44,6 +44,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
     + [Save the results using a template](#save-the-results-using-a-template)
     + [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
     + [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
+    + [Filter the vulnerabilities by Open Policy Agent](#filter-the-vulnerabilities-by-open-policy-agent-policy)
     + [Skip update of vulnerability DB](#skip-update-of-vulnerability-db)
     + [Only download vulnerability database](#only-download-vulnerability-database)
     + [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
@@ -1098,6 +1099,41 @@ Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
 
 </details>
 
+### Filter the vulnerabilities by Open Policy Agent policy
+[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
+
+Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with `--ignore-policy` option.
+
+The Rego package name must be `trivy` and it must include a rule called `ignore` which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the `input` variable. The structure of each vulnerability input is the same as for the Trivy JSON output.  
+There is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. For more info about the helper functions, look at the library [here](pkg/vulnerability/module.go)
+
+To get started, see the [example policy](./contrib/example_policy).
+
+```
+$ trivy image --policy contrib/example_filter/basic.rego centos:7
+```
+
+<details>
+<summary>Result</summary>
+
+```
+centos:7 (centos 7.8.2003)
+==========================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
+|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
+|         |                  |          |                   |               | nested parentheses (8.39/13,   |
+|         |                  |          |                   |               | 10.22/12)                      |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+```
+
+</details>
+
+
 ### Skip update of vulnerability DB
 
 `Trivy` always updates its vulnerability database when it starts operating. This is usually fast, as it is a difference update. But if you want to skip even that, use the `--skip-update` option.