From eef861dec6100fe798051e5b3be132271be21848 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <stephan.renatus@gmail.com>
Date: Mon, 11 Jul 2022 09:45:27 +0200
Subject: [PATCH] CI: remove trivy from PRs, add CVE-2022-1996 to ignores
 (#4867)

This is breaking contributions when there is something new in trivy's
databases. That's unfortunate, and will be turned off by this commit.

We're still running the checks nightly, and that's good enough for raising the
maintainers' attention.

* .trivyignore: add CVE-2022-1996

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
---
 .github/workflows/vuln-scans.yaml | 43 -------------------------------
 .trivyignore                      |  3 +++
 2 files changed, 3 insertions(+), 43 deletions(-)
 delete mode 100644 .github/workflows/vuln-scans.yaml

diff --git a/.github/workflows/vuln-scans.yaml b/.github/workflows/vuln-scans.yaml
deleted file mode 100644
index c8498da8a0..0000000000
--- a/.github/workflows/vuln-scans.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Vulnerability scans
-on:
-  workflow_dispatch: {}   # Allow for manual triggers
-  pull_request:
-
-jobs:
-  trivy-scan:
-    name: Trivy security scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      # Equivalent to:
-      # $ trivy fs .
-      - name: Run Trivy scan on repo
-        uses: aquasecurity/trivy-action@0.5.1
-        with:
-          scan-type: fs
-          format: table
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH
-
-      - name: Build image
-        run: |
-          make image
-
-      - name: Get tag
-        id: tag
-        run: echo "::set-output name=TAG::$(./build/get-build-version.sh)"
-
-      # Equivalent to:
-      # $ trivy image $IMAGE
-      - name: Run Trivy scan on image
-        uses: aquasecurity/trivy-action@0.5.1
-        with:
-          image-ref: 'openpolicyagent/opa:${{ steps.tag.outputs.TAG }}'
-          format: table
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: os,library
-          severity: CRITICAL,HIGH
diff --git a/.trivyignore b/.trivyignore
index c2003561ba..553a6df0c4 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -11,3 +11,6 @@ CVE-2018-1098
 CVE-2019-11253
 CVE-2020-8558
 CVE-2021-25741
+
+# * github.com/emicklei/go-restful - we don't use its code in our handlers
+CVE-2022-1996