Merge pull request #49 from FlowFuse/ci-enable-sast-scan

knolleary · web-flow · commit 75ff45c1a677 · 2026-01-22T13:36:11.000Z
ci: Enable SAST
diff --git a/.github/.trivyignore.yaml b/.github/.trivyignore.yaml
@@ -0,0 +1,2 @@
+# Trivy ignore file
+# Add patterns to ignore specific vulnerabilities
diff --git a/.github/trivy.yaml b/.github/trivy.yaml
@@ -0,0 +1,29 @@
+# Trivy Security Scanner Configuration
+# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/
+
+scan:
+  scanners:
+    - vuln
+    - secret
+
+  skip-dirs:
+    - node_modules
+    - .git
+    - coverage
+    - ci
+
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+pkg:
+  types:
+    - os
+    - library
+  include-dev-deps: true
+
+format: "sarif"
+ignorefile: ".github/.trivyignore.yaml"
+exit-code: 0
diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml
@@ -0,0 +1,19 @@
+name: SAST Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    name: SAST Scan
+    uses : flowfuse/github-actions-workflows/.github/workflows/sast_scan.yaml@v0.46.0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Trivy ignore file`
	`2`	`+# Add patterns to ignore specific vulnerabilities`