Disable alibaba secret scanning

[lorenyu]

Ticket

Resolves navapbc/template-application-nextjs#165

Changes

• Disable alibaba secret scanning
• Output trivy scans to table format

Context for reviewers

Vulnerability scans were failing for platform-test-nextjs.

First, I needed to output not to a file since the runs weren't showing any output. See https://github.com/navapbc/platform-test-nextjs/actions/runs/5418384398

So I made the logs output to stdout instead of to a file. And I changed back to table format which is better than JSON.

It turns out the reason for the failure was a false positive scan for alibaba secret.

Since I don't see any situation where our project would be using alibaba I figure we should disable it. Trivy recommends specifying either enable rules or disable rules: https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/configuration/#disable-rules

Thinking about it, I think we should just focus on the secrets that are likely to be relevant to projects and leave out all the rest like facebook, linkedin, etc that are a waste of time to scan for. Projects can always add more if they need to. So this change adds an enable list.

Testing

I made the change in platform-test-nextjs where the false positive was showing up: see navapbc/platform-test-nextjs#77

The trivy scan now passes:

Fixing Anchor scan is out of scope of this PR, that's an application fix which should be in a template-application-nextjs