BST-17950 Revert adding secret scanning to trivy-fs (#263)

lindycoder · web-flow · commit 6817608b7332 · 2025-11-14T13:37:25.000-05:00
The story that added this was aimed only at updating trivy-image since that's the only secret scanning we currently have for images.

For source-code, without proper benchmarking, we don't want to offer trivy secret scanning as an alternative to gitleaks. Maybe it will come but not for now.

This change will prevent the trivy-fs scans from bearing the "secrets" scan-type which shows up in the secret section of the scanner coverage.
diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml
@@ -4,7 +4,6 @@ id: boostsecurityio/trivy-fs
 name: Trivy (Filesystem scanning)
 namespace: boostsecurityio/trivy-fs
 scan_types:
-  - secrets
   - sca
 
 config:
@@ -107,7 +106,7 @@ steps:
           TRIVY_ADDITIONAL_ARGS: ${TRIVY_ADDITIONAL_ARGS---ignore-unfixed}
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
-          TRIVY_SCANNERS: vuln,secret
+          TRIVY_SCANNERS: vuln
         run: >
           $SETUP_PATH/trivy fs 
           ${TRIVY_ADDITIONAL_ARGS} 
diff --git a/scanners/boostsecurityio/trivy-fs/rules.yaml b/scanners/boostsecurityio/trivy-fs/rules.yaml
@@ -1,3 +1,2 @@
 import:
   - boostsecurityio/sca-cve
-  - boostsecurityio/stored-secrets

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`import:`
`2`	`2`	`- boostsecurityio/sca-cve`
`3`		`- - boostsecurityio/stored-secrets`