From ab20caf259027d8ec7e56d6d42b5046bb1344433 Mon Sep 17 00:00:00 2001 From: Martin Roy Date: Fri, 14 Nov 2025 09:09:30 -0500 Subject: [PATCH] BST-17950 Revert adding secret scanning to trivy-fs The story that added this was aimed only at updating trivy-image since that's the only secret scanning we currently have for images. For source-code, without proper benchmarking, we don't want to offer trivy secret scanning as an alternative to gitleaks. Maybe it will come but not for now. This change will prevent the trivy-fs scans from bearing the "secrets" scan-type which shows up in the secret section of the scanner coverage. --- scanners/boostsecurityio/trivy-fs/module.yaml | 3 +-- scanners/boostsecurityio/trivy-fs/rules.yaml | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml index d3891cc9..27e50d1b 100644 --- a/scanners/boostsecurityio/trivy-fs/module.yaml +++ b/scanners/boostsecurityio/trivy-fs/module.yaml @@ -4,7 +4,6 @@ id: boostsecurityio/trivy-fs name: Trivy (Filesystem scanning) namespace: boostsecurityio/trivy-fs scan_types: - - secrets - sca config: @@ -107,7 +106,7 @@ steps: TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed} TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - TRIVY_SCANNERS: vuln,secret + TRIVY_SCANNERS: vuln run: > $SETUP_PATH/trivy fs ${TRIVY_ADDITIONAL_ARGS} diff --git a/scanners/boostsecurityio/trivy-fs/rules.yaml b/scanners/boostsecurityio/trivy-fs/rules.yaml index ce0c16b7..f3edfd83 100644 --- a/scanners/boostsecurityio/trivy-fs/rules.yaml +++ b/scanners/boostsecurityio/trivy-fs/rules.yaml @@ -1,3 +1,2 @@ import: - boostsecurityio/sca-cve - - boostsecurityio/stored-secrets