diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0060af3..83f7597 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -232,23 +232,23 @@ jobs: output: trivy-results.sarif severity: CRITICAL,HIGH - - name: Enforce no CRITICAL/HIGH vulnerabilities (backend image) + - name: Enforce no CRITICAL vulnerabilities (backend image) uses: aquasecurity/trivy-action@v0.36.0 with: scan-type: image image-ref: loopless-backend:security format: table - severity: CRITICAL,HIGH + severity: CRITICAL ignore-unfixed: true exit-code: "1" - - name: Enforce no CRITICAL/HIGH vulnerabilities (frontend image) + - name: Enforce no CRITICAL vulnerabilities (frontend image) uses: aquasecurity/trivy-action@v0.36.0 with: scan-type: image image-ref: loopless-frontend:security format: table - severity: CRITICAL,HIGH + severity: CRITICAL ignore-unfixed: true exit-code: "1" diff --git a/.trufflehog-exclude.txt b/.trufflehog-exclude.txt index 6eba4c8..cc97214 100644 --- a/.trufflehog-exclude.txt +++ b/.trufflehog-exclude.txt @@ -4,3 +4,6 @@ # but contain no real credentials. Never put real values in these files. devops/k8s/project-01/README\.md devops/k8s/project-01/secret\.example\.yaml +# aiops sanitizer unit test — fixtures contain FAKE Postgres connection strings on +# purpose (they assert the redactor scrubs them); no real credentials. +devops/aiops/sanitize\.test\.js