Scan for committed secrets during every pull request

.github/workflows/trivy.yaml

@@ -12,6 +12,10 @@ env:
   # https://github.com/actions/setup-go/issues/457
   GOTOOLCHAIN: local
 
+  # Use the committed Trivy configuration files.
+  TRIVY_IGNOREFILE: .trivyignore.yaml
+  TRIVY_SECRET_CONFIG: trivy-secret.yaml
+
 jobs:
   cache:
     # Run only one of these jobs at a time across the entire project.
@@ -48,7 +52,7 @@ jobs:
         with: { go-version: stable }
       - run: go mod download
 
-      # Report success only when detected licenses are listed in [/trivy.yaml].
+      # Report success only when detected licenses are listed in [.trivyignore.yaml].
       - name: Scan licenses
         uses: ./.github/actions/trivy
         env:
@@ -59,6 +63,26 @@ jobs:
           cache: restore,use
           database: skip
 
+  secrets:
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      # Report success only when detected secrets are listed in [.trivyignore.yaml].
+      - name: Scan secrets
+        uses: ./.github/actions/trivy
+        env:
+          TRIVY_EXIT_CODE: 1
+          TRIVY_SCANNERS: secret
+        with:
+          cache: restore,use
+          database: skip
+
   vulnerabilities:
     # Run this job after the cache job regardless of its success or failure.
     needs: [cache]

.trivyignore.yaml

@@ -0,0 +1,29 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# https://trivy.dev/latest/docs/configuration/filtering#trivyignoreyaml
+
+# Specify an exact list of recognized and acceptable licenses.
+# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that import licenses not in this list.
+#
+# https://trivy.dev/latest/docs/scanner/license
+licenses:
+  - id: Apache-2.0
+  - id: BSD-2-Clause
+  - id: BSD-3-Clause
+  - id: ISC
+  - id: MIT
+
+# These values are used for testing and are not secret.
+# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that contain secrets not in this list.
+#
+# https://trivy.dev/latest/docs/scanner/secret
+secrets:
+  - id: jwt-token
+    paths:
+      - internal/testing/token_*
+
+  - id: private-key
+    paths:
+      - internal/pki/*_test.go

trivy-secret.yaml

@@ -0,0 +1,15 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# schema documentation: https://trivy.dev/latest/docs/scanner/secret#configuration
+
+# Trivy has some built-in rules to ignore tests and documentation.
+# Disable those and define false-positives in [.trivyignore.yaml].
+#
+# https://github.com/aquasecurity/trivy/blob/-/pkg/fanal/secret/builtin-allow-rules.go
+disable-allow-rules:
+  - examples
+  - markdown
+  - tests
+  - vendor