fix(ci): restrict Trivy to vulnerability scanner only #48

Merged
julien merged 1 commits from fix/ci/trivy-vuln-only into main 2026-05-07 13:18:52 +02:00
Owner

Summary

First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in .pnpm-store/v10/files/.... None of them are our secrets.

Two observations:

  • The scan job already chains gitleaks/gitleaks-action@v2 right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface.
  • Trivy's own log suggests --scanners vuln when secret scanning isn't the focus. And ADR-0015 always framed this step as "dependency vulnerability scan" — singular.

Restrict Trivy to --scanners vuln. Result: vuln scan against pnpm-lock.yaml complementing pnpm audit (which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source.

No --skip-dirs change needed: vuln scanning reads pnpm-lock.yaml, not the unpacked store.

Test plan

  • scan job goes green end-to-end on this PR — pnpm ci:audit ✓, Install Trivy ✓, Run Trivy ✓ (no secret findings reported), gitleaks ✓.
  • On push to main post-merge, scan stays green.
  • Future Trivy bumps (manual, see workflow comment) keep this --scanners vuln flag.
## Summary First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in `.pnpm-store/v10/files/...`. None of them are our secrets. Two observations: - The `scan` job already chains `gitleaks/gitleaks-action@v2` right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface. - Trivy's own log suggests `--scanners vuln` when secret scanning isn't the focus. And [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md) always framed this step as "dependency vulnerability scan" — singular. Restrict Trivy to `--scanners vuln`. Result: vuln scan against `pnpm-lock.yaml` complementing `pnpm audit` (which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source. No `--skip-dirs` change needed: vuln scanning reads `pnpm-lock.yaml`, not the unpacked store. ## Test plan - [ ] `scan` job goes green end-to-end on this PR — `pnpm ci:audit` ✓, `Install Trivy` ✓, `Run Trivy` ✓ (no secret findings reported), `gitleaks` ✓. - [ ] On `push` to main post-merge, scan stays green. - [ ] Future Trivy bumps (manual, see workflow comment) keep this `--scanners vuln` flag.
julien added 1 commit 2026-05-07 13:16:17 +02:00
fix(ci): restrict Trivy to vulnerability scanner only
CI / commits (pull_request) Successful in 2m20s
CI / check (pull_request) Successful in 2m41s
CI / scan (pull_request) Failing after 2m50s
CI / a11y (pull_request) Successful in 2m52s
CI / perf (pull_request) Successful in 5m31s
9b6967d352
The first successful Trivy run (after #45 wired the manual install)
came back red on three "secret" findings, all of them demo RSA
private keys embedded in the README / test fixtures of a
cryptographic npm package, sitting deep in `.pnpm-store/v10/files/`
where pnpm content-addressably caches its packages. They are not
our secrets.

Two observations:

- The job already chains `gitleaks/gitleaks-action@v2` after Trivy
  — running two secret scanners over the same tree is just twice
  the false-positive surface.
- Trivy's own log helpfully suggests `--scanners vuln` when secret
  scanning is not the focus, and ADR-0015 always framed this step
  as "dependency vulnerability scan", singular.

Restrict Trivy to `--scanners vuln` so it only runs the vuln check
(against `pnpm-lock.yaml`, complementing `pnpm audit`'s npm-advisory
view with Trivy's broader source). Gitleaks remains the single
secret-scan source.

No `--skip-dirs` change needed: the vuln scan reads `pnpm-lock.yaml`,
not the unpacked store contents.
julien merged commit 6fc26db1b5 into main 2026-05-07 13:18:52 +02:00
julien deleted branch fix/ci/trivy-vuln-only 2026-05-07 13:18:53 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#48