diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 43c4371182..72805f1ac2 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -12,6 +12,10 @@ env: # https://github.com/actions/setup-go/issues/457 GOTOOLCHAIN: local + # Use the committed Trivy configuration files. + TRIVY_IGNOREFILE: .trivyignore.yaml + TRIVY_SECRET_CONFIG: trivy-secret.yaml + jobs: cache: # Run only one of these jobs at a time across the entire project. @@ -48,7 +52,7 @@ jobs: with: { go-version: stable } - run: go mod download - # Report success only when detected licenses are listed in [/trivy.yaml]. + # Report success only when detected licenses are listed in [.trivyignore.yaml]. - name: Scan licenses uses: ./.github/actions/trivy env: @@ -59,6 +63,26 @@ jobs: cache: restore,use database: skip + secrets: + # Run this job after the cache job regardless of its success or failure. + needs: [cache] + if: >- + ${{ !cancelled() }} + + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + # Report success only when detected secrets are listed in [.trivyignore.yaml]. + - name: Scan secrets + uses: ./.github/actions/trivy + env: + TRIVY_EXIT_CODE: 1 + TRIVY_SCANNERS: secret + with: + cache: restore,use + database: skip + vulnerabilities: # Run this job after the cache job regardless of its success or failure. needs: [cache] diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000000..96d0e4e789 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,29 @@ +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# https://trivy.dev/latest/docs/configuration/filtering#trivyignoreyaml + +# Specify an exact list of recognized and acceptable licenses. +# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that import licenses not in this list. +# +# https://trivy.dev/latest/docs/scanner/license +licenses: + - id: Apache-2.0 + - id: BSD-2-Clause + - id: BSD-3-Clause + - id: ISC + - id: MIT + +# These values are used for testing and are not secret. +# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that contain secrets not in this list. +# +# https://trivy.dev/latest/docs/scanner/secret +secrets: + - id: jwt-token + paths: + - internal/testing/token_* + + - id: private-key + paths: + - internal/pki/*_test.go diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000000..451195484b --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,15 @@ +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# schema documentation: https://trivy.dev/latest/docs/scanner/secret#configuration + +# Trivy has some built-in rules to ignore tests and documentation. +# Disable those and define false-positives in [.trivyignore.yaml]. +# +# https://github.com/aquasecurity/trivy/blob/-/pkg/fanal/secret/builtin-allow-rules.go +disable-allow-rules: + - examples + - markdown + - tests + - vendor diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index b2ef32d785..0000000000 --- a/trivy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ ---- -# Specify an exact list of recognized and acceptable licenses. -# [A GitHub workflow](/.github/workflows/trivy.yaml) rejects pull requests that -# import licenses not in this list. -# -# https://aquasecurity.github.io/trivy/latest/docs/scanner/license/ -license: - ignored: - - Apache-2.0 - - BSD-2-Clause - - BSD-3-Clause - - ISC - - MIT