Skip website/config/custom.js in Trivy secret scan

[lukeheath]

Summary

• website/config/custom.js contains commented-out Stripe test-mode placeholders (pk_test_... / sk_test_...) shown to developers as example billing config.
• Trivy's secret detector matches the Stripe regex regardless of comment syntax, so every push to main that touches a .tf file (e.g. the v4.85.0 release commit) trips the scan and fails CI: https://github.com/fleetdm/fleet/actions/runs/25920033570/job/76186369286
• Added the file to the existing skip-files block in .github/workflows/trivy-scan.yml, matching the pattern used for the demo/test TLS keys already listed there.

Test plan

• Push triggers the workflow on this PR; confirm the Trivy job passes (no Stripe secret findings).
• Next push to main that touches a .tf file does not fail the Trivy scan.

Summary by CodeRabbit

• Chores
  • Updated security scanning workflow configuration to refine file ignore patterns and improve scan coverage.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

This PR updates the Trivy workflow to avoid false-positive secret scan failures from documented Stripe test placeholders in the website development config.

Changes:

• Adds website/config/custom.js to Trivy’s skip-files list.
• Documents why the file is skipped alongside existing local-test key exclusions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97578230-5133-4e79-867d-5a1d8a03d03d

📥 Commits

Reviewing files that changed from the base of the PR and between 9416a81 and 569866e.

📒 Files selected for processing (1)

• .github/workflows/trivy-scan.yml

---

Walkthrough

This pull request modifies the Trivy security scanning workflow in .github/workflows/trivy-scan.yml. The skip-files configuration was expanded to exclude website/config/custom.js from the Trivy filesystem scan. Simultaneously, ee/orbit/pkg/httpsigproxy/httpsigproxy.go was removed from the skip-files list while remaining documented in the inline ignore comment block. No workflow logic, triggers, or other scanning behavior was altered.

Possibly related PRs

• fleetdm/fleet#45164: Updates the same Trivy scan workflow configuration by expanding skip-files exclusions and modifying ignore entries for additional paths.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides context about the issue (Trivy matching Stripe regex in comments), the solution (adding file to skip-files), and a test plan, but does not follow the repository's PR template structure.	Consider using the repository's standard PR template with checklist items like 'Changes file added', 'Testing', and relevant sections completed or marked as N/A.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding website/config/custom.js to the skip-files list in the Trivy scan workflow configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch trivy-skip-website-custom-js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sharon-fdm]

LGTM