Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key

.github/workflows/ci.yml

@@ -43,6 +43,9 @@ jobs:
 
   scan_container:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for uploading SARIF results
+      contents: read
 
     steps:
       - name: Checkout code
@@ -58,6 +61,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
 
       - name: Upload Trivy results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3