From 569866e3ce11d7cca02dc821320faa0cae0a50ac Mon Sep 17 00:00:00 2001
From: Luke Heath <luke@fleetdm.com>
Date: Fri, 15 May 2026 12:59:19 -0500
Subject: [PATCH] Skip website/config/custom.js in Trivy scan

The file contains commented-out Stripe test-mode example placeholders
that match Trivy's secret regex and fail every push to main that touches
a .tf file.
---
 .github/workflows/trivy-scan.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
index b02d231141a..0615a934da6 100644
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -129,13 +129,15 @@ jobs:
           # - tools/osquery/in-a-box/osquery/fleet.key: TLS key for the "Fleet in a box" demo
           # - tools/osquery/fleet.key: TLS key for the standalone osquery dev sandbox
           # - orbit/pkg/insecure/proxy.go: TLS key used when running orbit with `--insecure` mode for development/testing.
-          # - ee/orbit/pkg/httpsigproxy/httpsigproxy.go: TLS key only used for osquery to orbit _local_ communication 
+          # - ee/orbit/pkg/httpsigproxy/httpsigproxy.go: TLS key only used for osquery to orbit _local_ communication
           #   (for injection of HTTP signatures for the TPM-backed feature in Linux).
+          # - website/config/custom.js: commented-out Stripe test-mode placeholders shown as example config.
           skip-files: |
             tools/osquery/in-a-box/osquery/fleet.key
             tools/osquery/fleet.key
             orbit/pkg/insecure/proxy.go
             ee/orbit/pkg/httpsigproxy/httpsigproxy.go
+            website/config/custom.js
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload on schedule/manual runs. PR/push uploads register