fix(ci): restrict Trivy to vulnerability scanner only #49

Merged
julien merged 1 commits from fix/ci/trivy-vuln-only into main 2026-05-07 19:09:15 +02:00
+8
View File
@@ -101,8 +101,16 @@ jobs:
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
trivy --version trivy --version
- name: Run Trivy - name: Run Trivy
# `--scanners vuln`: limit Trivy to vulnerability scanning. Its
# secret scanner false-positives on demo RSA keys embedded in
# the README/fixtures of cryptographic npm packages (which
# land under .pnpm-store/), and we already have gitleaks below
# as the dedicated secret-scan gate. Trivy's intent in this
# job, per ADR-0015, was always "dependency vulnerability
# scan" — restoring that scope.
run: | run: |
trivy fs \ trivy fs \
--scanners vuln \
--ignore-unfixed \ --ignore-unfixed \
--skip-dirs node_modules \ --skip-dirs node_modules \
--exit-code 1 \ --exit-code 1 \