diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 124c794..9c34ece 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -101,8 +101,16 @@ jobs: tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy trivy --version - name: Run Trivy + # `--scanners vuln`: limit Trivy to vulnerability scanning. Its + # secret scanner false-positives on demo RSA keys embedded in + # the README/fixtures of cryptographic npm packages (which + # land under .pnpm-store/), and we already have gitleaks below + # as the dedicated secret-scan gate. Trivy's intent in this + # job, per ADR-0015, was always "dependency vulnerability + # scan" — restoring that scope. run: | trivy fs \ + --scanners vuln \ --ignore-unfixed \ --skip-dirs node_modules \ --exit-code 1 \