Add exclusions for future trivy scans

[lucasmrod]

Summary by CodeRabbit

• Chores
  • Refined security scan configuration to exclude specific test-only TLS key files from filesystem scans, adding explanatory comments and skip patterns to prevent spurious findings and improve scan relevance and clarity.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c54945e4-b2be-4931-8ba6-c238fddc9db1

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4dcbd and d5c8c09.

📒 Files selected for processing (1)

• .github/workflows/trivy-scan.yml

---

Walkthrough

This PR updates the Trivy security scan workflow to exclude specific TLS key files and development proxy configuration from being scanned. Comments and a skip-files list are added to the Trivy action configuration, targeting paths that are used only for local testing and development purposes. This prevents Trivy from reporting findings for these development-only artifacts during the filesystem scan.

Possibly related PRs

• fleetdm/fleet#44987: Also modifies .github/workflows/trivy-scan.yml to configure Trivy scan behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, but the required template expects a detailed checklist covering testing, database migrations, and other critical checks.	Add a pull request description that follows the template, including relevant checklist items and explaining the purpose of the exclusions and any testing performed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add exclusions for future trivy scans' clearly and concisely describes the main change: adding exclusions to the Trivy scan configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-exclusions-for-future-scans

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the Trivy GitHub Actions workflow to exclude known development-only TLS keys (including embedded test keys) from Trivy filesystem scans, reducing noise in scan results.

Changes:

• Adds a skip-files list to omit specific local/dev TLS key files (and source files containing embedded dev keys) from Trivy scanning.
• Documents why each excluded file is safe to skip (local testing/demo usage).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.