From 46aa983189fec7dd9c68588dfe35b107cc022235 Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Fri, 2 Jan 2026 12:56:03 +1100 Subject: [PATCH] Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key --- .github/workflows/ci.yml | 4 ++++ README.md | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5a5dfa6..f7f28d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,9 @@ jobs: scan_container: runs-on: ubuntu-latest + permissions: + security-events: write # Required for uploading SARIF results + contents: read steps: - name: Checkout code @@ -58,6 +61,7 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + scanners: 'vuln' # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems) - name: Upload Trivy results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 diff --git a/README.md b/README.md index 48788aa..4deed79 100644 --- a/README.md +++ b/README.md @@ -724,10 +724,10 @@ brew install trivy # macOS # Build and scan image (CRITICAL and HIGH severity only, like CI) docker build -t clinch:local . -trivy image --severity CRITICAL,HIGH clinch:local +trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local # Scan only for fixable vulnerabilities -trivy image --severity CRITICAL,HIGH --ignore-unfixed clinch:local +trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local ``` **CI/CD Integration:**