Getting Tripwire to stop complaining about apt upgrades

We use tripwire on Ubuntu servers to monitor integrity of key files. We regularly update packages with apt and end up with noise from tripwire because staff find it is a hassle to update tripwire with knowledge of approved changes we have made.

Is there a script that we could use that would wrap our apt update; apt upgrade with some tripwire commands that would abort before starting the apt upgrades if there was a problem known by tripwire (of a certain level), and commit any changes made by apt upgrade to the tripwire known baseline state after the upgrade? I realize there might be an intrusion during the apt upgrade that changed some other file, but would reluctantly be willing to live with that to reduce the noise from tripwire problems.

We would like to be running apt to auto upgrade every night, but currently run it manually when prompted by some incinga monitoring we have set up.

This seems like a common workflow but I can’t find a script for it.