From c1820eed142e9a3cd0acf1fbf6f459fa1f9b66aa Mon Sep 17 00:00:00 2001 From: Chris Bandy Date: Fri, 6 Jun 2025 14:56:34 -0500 Subject: [PATCH 1/3] Scan for committed secrets during every pull request Issue: PGO-2490 --- .github/workflows/trivy.yaml | 23 ++++++++++++++++++++++- .trivyignore.yaml | 29 +++++++++++++++++++++++++++++ trivy-secret.yaml | 15 +++++++++++++++ trivy.yaml | 14 -------------- 4 files changed, 66 insertions(+), 15 deletions(-) create mode 100644 .trivyignore.yaml create mode 100644 trivy-secret.yaml delete mode 100644 trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 43c4371182..8211371ef0 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -48,7 +48,7 @@ jobs: with: { go-version: stable } - run: go mod download - # Report success only when detected licenses are listed in [/trivy.yaml]. + # Report success only when detected licenses are listed in [.trivyignore.yaml]. - name: Scan licenses uses: ./.github/actions/trivy env: @@ -59,6 +59,27 @@ jobs: cache: restore,use database: skip + secrets: + # Run this job after the cache job regardless of its success or failure. + needs: [cache] + if: >- + ${{ !cancelled() }} + + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + # Report success only when detected secrets are listed in [.trivyignore.yaml]. + - name: Scan licenses + uses: ./.github/actions/trivy + env: + TRIVY_EXIT_CODE: 1 + TRIVY_SCANNERS: secret + TRIVY_SECRET_CONFIG: trivy-secret.yaml + with: + cache: restore,use + database: skip + vulnerabilities: # Run this job after the cache job regardless of its success or failure. needs: [cache] diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000000..96d0e4e789 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,29 @@ +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# https://trivy.dev/latest/docs/configuration/filtering#trivyignoreyaml + +# Specify an exact list of recognized and acceptable licenses. +# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that import licenses not in this list. +# +# https://trivy.dev/latest/docs/scanner/license +licenses: + - id: Apache-2.0 + - id: BSD-2-Clause + - id: BSD-3-Clause + - id: ISC + - id: MIT + +# These values are used for testing and are not secret. +# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that contain secrets not in this list. +# +# https://trivy.dev/latest/docs/scanner/secret +secrets: + - id: jwt-token + paths: + - internal/testing/token_* + + - id: private-key + paths: + - internal/pki/*_test.go diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000000..451195484b --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,15 @@ +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# schema documentation: https://trivy.dev/latest/docs/scanner/secret#configuration + +# Trivy has some built-in rules to ignore tests and documentation. +# Disable those and define false-positives in [.trivyignore.yaml]. +# +# https://github.com/aquasecurity/trivy/blob/-/pkg/fanal/secret/builtin-allow-rules.go +disable-allow-rules: + - examples + - markdown + - tests + - vendor diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index b2ef32d785..0000000000 --- a/trivy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ ---- -# Specify an exact list of recognized and acceptable licenses. -# [A GitHub workflow](/.github/workflows/trivy.yaml) rejects pull requests that -# import licenses not in this list. -# -# https://aquasecurity.github.io/trivy/latest/docs/scanner/license/ -license: - ignored: - - Apache-2.0 - - BSD-2-Clause - - BSD-3-Clause - - ISC - - MIT From 3ad30117ba0926a9012c7c9981752d5bb31165db Mon Sep 17 00:00:00 2001 From: Chris Bandy Date: Fri, 6 Jun 2025 15:07:56 -0500 Subject: [PATCH 2/3] FIXUP: use the ignore file --- .github/workflows/trivy.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 8211371ef0..b02be947b0 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -54,6 +54,7 @@ jobs: env: TRIVY_DEBUG: true TRIVY_EXIT_CODE: 1 + TRIVY_IGNOREFILE: .trivyignore.yaml TRIVY_SCANNERS: license with: cache: restore,use @@ -70,10 +71,11 @@ jobs: - uses: actions/checkout@v4 # Report success only when detected secrets are listed in [.trivyignore.yaml]. - - name: Scan licenses + - name: Scan secrets uses: ./.github/actions/trivy env: TRIVY_EXIT_CODE: 1 + TRIVY_IGNOREFILE: .trivyignore.yaml TRIVY_SCANNERS: secret TRIVY_SECRET_CONFIG: trivy-secret.yaml with: From aebc13a838e63d81ac08bd7d8aa6c3a5305f3fa4 Mon Sep 17 00:00:00 2001 From: Chris Bandy Date: Fri, 6 Jun 2025 15:13:13 -0500 Subject: [PATCH 3/3] FIXUP: configure once --- .github/workflows/trivy.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index b02be947b0..72805f1ac2 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -12,6 +12,10 @@ env: # https://github.com/actions/setup-go/issues/457 GOTOOLCHAIN: local + # Use the committed Trivy configuration files. + TRIVY_IGNOREFILE: .trivyignore.yaml + TRIVY_SECRET_CONFIG: trivy-secret.yaml + jobs: cache: # Run only one of these jobs at a time across the entire project. @@ -54,7 +58,6 @@ jobs: env: TRIVY_DEBUG: true TRIVY_EXIT_CODE: 1 - TRIVY_IGNOREFILE: .trivyignore.yaml TRIVY_SCANNERS: license with: cache: restore,use @@ -75,9 +78,7 @@ jobs: uses: ./.github/actions/trivy env: TRIVY_EXIT_CODE: 1 - TRIVY_IGNOREFILE: .trivyignore.yaml TRIVY_SCANNERS: secret - TRIVY_SECRET_CONFIG: trivy-secret.yaml with: cache: restore,use database: skip