fix(ci): restrict Trivy to vulnerability scanner only #48
Reference in New Issue
Block a user
Delete Branch "fix/ci/trivy-vuln-only"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in
.pnpm-store/v10/files/.... None of them are our secrets.Two observations:
scanjob already chainsgitleaks/gitleaks-action@v2right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface.--scanners vulnwhen secret scanning isn't the focus. And ADR-0015 always framed this step as "dependency vulnerability scan" — singular.Restrict Trivy to
--scanners vuln. Result: vuln scan againstpnpm-lock.yamlcomplementingpnpm audit(which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source.No
--skip-dirschange needed: vuln scanning readspnpm-lock.yaml, not the unpacked store.Test plan
scanjob goes green end-to-end on this PR —pnpm ci:audit✓,Install Trivy✓,Run Trivy✓ (no secret findings reported),gitleaks✓.pushto main post-merge, scan stays green.--scanners vulnflag.