Scan for committed secrets during every pull request

cbandy · cbandy · commit c1820eed142e · 2025-06-06T14:56:34.000-05:00
Issue: PGO-2490
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -48,7 +48,7 @@ jobs:
         with: { go-version: stable }
       - run: go mod download
 
-      # Report success only when detected licenses are listed in [/trivy.yaml].
+      # Report success only when detected licenses are listed in [.trivyignore.yaml].
       - name: Scan licenses
         uses: ./.github/actions/trivy
         env:
@@ -59,6 +59,27 @@ jobs:
           cache: restore,use
           database: skip
 
+  secrets:
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      # Report success only when detected secrets are listed in [.trivyignore.yaml].
+      - name: Scan licenses
+        uses: ./.github/actions/trivy
+        env:
+          TRIVY_EXIT_CODE: 1
+          TRIVY_SCANNERS: secret
+          TRIVY_SECRET_CONFIG: trivy-secret.yaml
+        with:
+          cache: restore,use
+          database: skip
+
   vulnerabilities:
     # Run this job after the cache job regardless of its success or failure.
     needs: [cache]
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,29 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# https://trivy.dev/latest/docs/configuration/filtering#trivyignoreyaml
+
+# Specify an exact list of recognized and acceptable licenses.
+# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that import licenses not in this list.
+#
+# https://trivy.dev/latest/docs/scanner/license
+licenses:
+  - id: Apache-2.0
+  - id: BSD-2-Clause
+  - id: BSD-3-Clause
+  - id: ISC
+  - id: MIT
+
+# These values are used for testing and are not secret.
+# [A GitHub workflow](.github/workflows/trivy.yaml) rejects pull requests that contain secrets not in this list.
+#
+# https://trivy.dev/latest/docs/scanner/secret
+secrets:
+  - id: jwt-token
+    paths:
+      - internal/testing/token_*
+
+  - id: private-key
+    paths:
+      - internal/pki/*_test.go
diff --git a/trivy-secret.yaml b/trivy-secret.yaml
@@ -0,0 +1,15 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# schema documentation: https://trivy.dev/latest/docs/scanner/secret#configuration
+
+# Trivy has some built-in rules to ignore tests and documentation.
+# Disable those and define false-positives in [.trivyignore.yaml].
+#
+# https://github.com/aquasecurity/trivy/blob/-/pkg/fanal/secret/builtin-allow-rules.go
+disable-allow-rules:
+  - examples
+  - markdown
+  - tests
+  - vendor
diff --git a/trivy.yaml b/trivy.yaml
