From 1dd5eed949733104435990fa1b28f0a3bdc7a34d Mon Sep 17 00:00:00 2001 From: Johnathan Falk Date: Fri, 27 Mar 2026 13:27:10 -0400 Subject: [PATCH] Remove Trivy - compromised supply chain Trivy was compromised (see aquasecurity/trivy#10425). Removing all Trivy configuration, workflow jobs/steps, scripts, and references. CodeQL default setup should be used for code scanning instead. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/agents/Security Scanner Coordinator.agent.md | 2 -- .github/linters/super-linter.env | 4 ---- .github/security-guidelines.md | 1 - 3 files changed, 7 deletions(-) diff --git a/.github/agents/Security Scanner Coordinator.agent.md b/.github/agents/Security Scanner Coordinator.agent.md index b28d833..023a737 100644 --- a/.github/agents/Security Scanner Coordinator.agent.md +++ b/.github/agents/Security Scanner Coordinator.agent.md @@ -46,7 +46,6 @@ purpose: - Coordinate SAST (static) and DAST (dynamic) security testing tools. - Run language-specific security scanners (bandit, gosec, cargo-audit, npm audit). - Scan for hardcoded secrets using truffleHog, gitleaks, or GitHub secret scanning. -- Perform container image vulnerability scanning with Trivy or Grype. - Check security headers and HTTPS configuration for web applications. - Generate unified security reports aggregating findings from multiple tools. - Prioritize vulnerabilities by exploitability and impact (CVSS scores). @@ -82,7 +81,6 @@ style-alignment: - Security Instructions: CVE prioritization, CVSS scoring, responsible disclosure. - SAST tools: bandit (Python), gosec (Go), cargo-audit (Rust), eslint-plugin-security (JS). - Secret scanning: truffleHog/gitleaks for git history, fail CI on secret detection. -- Container scanning: Trivy or Grype with --severity HIGH, scan on build and schedule. - DAST: OWASP ZAP or similar for web applications, test in staging environment. - Reporting: SARIF for GitHub integration, JSON for programmatic processing, HTML for stakeholders. - Remediation: Prioritize by CVSS score, availability of fix, and exposure risk. diff --git a/.github/linters/super-linter.env b/.github/linters/super-linter.env index 9488c5a..c38040c 100644 --- a/.github/linters/super-linter.env +++ b/.github/linters/super-linter.env @@ -213,8 +213,6 @@ VALIDATE_TERRAFORM_TERRASCAN=false # Terragrunt VALIDATE_TERRAGRUNT=false -# Trivy (Security scanner) -VALIDATE_TRIVY=false # TypeScript VALIDATE_TSX=true @@ -498,8 +496,6 @@ GROOVY_LOG_LEVEL=info # TERRAFORM_TERRASCAN_CONFIG_FILE=terrascan.toml # TERRAFORM_TFLINT_CONFIG_FILE=.tflint.hcl -# Trivy -# TRIVY_CONFIG_FILE=trivy.yaml # TypeScript # TYPESCRIPT_ES_CONFIG_FILE=eslint.config.mjs diff --git a/.github/security-guidelines.md b/.github/security-guidelines.md index 31adc40..d0eaceb 100644 --- a/.github/security-guidelines.md +++ b/.github/security-guidelines.md @@ -211,7 +211,6 @@ permissions: **Recommended Actions**: - CodeQL for code analysis -- Trivy for vulnerability scanning - GitLeaks for secret detection ### 2. Dynamic Analysis