From 22f861fed29dbfe0315a80a4df129915c2134953 Mon Sep 17 00:00:00 2001
From: Uno-Takashi <euno.eng@gmail.com>
Date: Mon, 22 Jun 2026 23:56:44 +0000
Subject: [PATCH] ci: limit Trivy to vulnerability scanning (scanners: vuln)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Trivy step ran the default vuln+secret scanners, and secret scanning
flagged an example OpenSSH private key embedded in a third-party library
docstring (autobahn's cryptosign module, a transitive dep via daphne) as a
HIGH AsymmetricPrivateKey finding, failing the job. This is a false positive,
not a real secret leak or CVE.

Set scanners: vuln so the step does what its name implies — scan the image
for HIGH/CRITICAL OS/library vulnerabilities only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/security.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 2b81b60..0d5b3e0 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -85,6 +85,10 @@ jobs:
         with:
           image-ref: "backend-django:latest"
           format: "table"
+          # Vulnerability scanning only. Secret scanning is disabled because it
+          # flags example private keys embedded in third-party library docstrings
+          # (e.g. autobahn's cryptosign module) as false positives.
+          scanners: "vuln"
           severity: "HIGH,CRITICAL"
           exit-code: "1"
           ignore-unfixed: true