Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ticket
Resolves navapbc/template-application-nextjs#165
Changes
Context for reviewers
Vulnerability scans were failing for platform-test-nextjs.
First, I needed to output not to a file since the runs weren't showing any output. See https://github.com/navapbc/platform-test-nextjs/actions/runs/5418384398
So I made the logs output to stdout instead of to a file. And I changed back to table format which is better than JSON.
It turns out the reason for the failure was a false positive scan for alibaba secret.
Since I don't see any situation where our project would be using alibaba I figure we should disable it. Trivy recommends specifying either enable rules or disable rules: https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/configuration/#disable-rules
Thinking about it, I think we should just focus on the secrets that are likely to be relevant to projects and leave out all the rest like facebook, linkedin, etc that are a waste of time to scan for. Projects can always add more if they need to. So this change adds an enable list.
Testing
I made the change in platform-test-nextjs where the false positive was showing up: see navapbc/platform-test-nextjs#77
The trivy scan now passes:
Fixing Anchor scan is out of scope of this PR, that's an application fix which should be in a template-application-nextjs