navapbc · lorenyu · Jun 30, 2023 · Jun 30, 2023 · Jun 30, 2023 · Jun 30, 2023
diff --git a/.github/workflows/ci-vulnerability-scans.yml b/.github/workflows/ci-vulnerability-scans.yml
@@ -63,19 +63,16 @@ jobs:
         with:
           scan-type: image
           image-ref: ${{ steps.build-image.outputs.image }}
-          format: json
+          format: table
           exit-code: 1
           ignore-unfixed: true
           vuln-type: os
           scanners: vuln,secret
-          output: trivy_results.json
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
         run: |
-          echo "```json" >> $GITHUB_STEP_SUMMARY
-          cat trivy_results.json >> $GITHUB_STEP_SUMMARY
-          echo "```" >> $GITHUB_STEP_SUMMARY
+          echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
 
   anchore-scan:
     runs-on: ubuntu-latest
@@ -100,7 +97,7 @@ jobs:
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
         run: |
-          echo "Click on the anchore-scan job in the top left Jobs section to view the results" >> $GITHUB_STEP_SUMMARY
+          echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
 
   dockle-scan:
     runs-on: ubuntu-latest

diff --git a/trivy-secret.yaml b/trivy-secret.yaml
@@ -0,0 +1,21 @@
+# Trivy recommends specifying either enable-builin-rules or disable-rules
+# See https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/configuration/
+# For list of all available rules, see
+# https://github.com/aquasecurity/fanal/blob/main/secret/builtin-rules.go
+enable-builtin-rules:
+  - aws-access-key-id
+  - aws-account-id
+  - aws-secret-access-key
+  - github-pat
+  - github-oauth
+  - github-app-token
+  - github-refresh-token
+  - gitlab-pat
+  - private-key
+  - slack-access-token
+  - slack-web-hook
+  - atlassian-api-token
+  - hashicorp-tf-api-token
+  - new-relic-user-api-key
+  - new-relic-user-api-id
+  - new-relic-browser-api-token