From 8592076a2cf7eb0c0d3d9c234b8f7c24bef8ded5 Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Mon, 18 Nov 2024 16:35:39 -0800
Subject: [PATCH 1/5] Add trivy.yaml file

---
 .github/workflows/security.yml |  7 ++++---
 trivy.yaml                     | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 trivy.yaml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 12fa7a36d5..0daaf5c69f 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -21,6 +21,8 @@ jobs:
           ruby-version: 3.3
 
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7
+        with:
+          path: ruby-agent
 
       - run: bundle # Generate a Gemfile.lock to scan
 
@@ -30,11 +32,10 @@ jobs:
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag v0.28.0
         with:
           scan-type: fs
+          scan-ref: ./ruby-agent
+          trivy-config: ./ruby-agent/trivy.yaml
           format: table
           exit-code: 1
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH,MEDIUM,LOW
-          cache: false
 
       - name: Run Trivy in report mode
         # Only generate sarif when running nightly on the dev branch.
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 0000000000..771df6fee6
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1,17 @@
+db:
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+
+scan:
+  scanners:
+    - vuln
+    - misconfig
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true

From 6eaf35f4c2ee3d34108454943cd14fe3a70f4395 Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Mon, 18 Nov 2024 16:37:52 -0800
Subject: [PATCH 2/5] Tweak file location

---
 .github/workflows/security.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 0daaf5c69f..55d0ffac7e 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -21,8 +21,6 @@ jobs:
           ruby-version: 3.3
 
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7
-        with:
-          path: ruby-agent
 
       - run: bundle # Generate a Gemfile.lock to scan
 
@@ -32,8 +30,8 @@ jobs:
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag v0.28.0
         with:
           scan-type: fs
-          scan-ref: ./ruby-agent
-          trivy-config: ./ruby-agent/trivy.yaml
+          scan-ref: .
+          trivy-config: trivy.yaml
           format: table
           exit-code: 1
 

From f919753af2a3ed2b4d7a9d7fc1a40046d28f7d7c Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Mon, 18 Nov 2024 16:51:09 -0800
Subject: [PATCH 3/5] Update config

---
 trivy.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/trivy.yaml b/trivy.yaml
index 771df6fee6..1b4f3e2711 100644
--- a/trivy.yaml
+++ b/trivy.yaml
@@ -2,11 +2,6 @@ db:
   repository:
     - mirror.gcr.io/aquasec/trivy-db:2
 
-scan:
-  scanners:
-    - vuln
-    - misconfig
-
 severities:
   - CRITICAL
   - HIGH

From 9ca5ec47003a343863233c5b6fff18a23742d42f Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Tue, 19 Nov 2024 07:57:33 -0800
Subject: [PATCH 4/5] Add trivy.yaml for report mode scans

---
 .github/workflows/security.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 55d0ffac7e..ed4ee03a84 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -41,11 +41,10 @@ jobs:
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag v0.28.0
         with:
           scan-type: fs
+          scan-ref: .
+          trivy-config: trivy.yaml
           format: sarif
           output: trivy-results.sarif
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-          cache: false
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload sarif when running nightly on the dev branch.

From fb2ceec520091c6d55f4d6d4d2a486b4850fc59c Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Tue, 19 Nov 2024 08:05:11 -0800
Subject: [PATCH 5/5] Add trivy.yaml to .build_ignore

---
 .build_ignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.build_ignore b/.build_ignore
index 3c018013e5..632be85174 100644
--- a/.build_ignore
+++ b/.build_ignore
@@ -19,6 +19,7 @@ lefthook.yml
 log/
 README.md
 test/
+trivy.yaml
 lib/tasks/bump_version.rb
 lib/tasks/coverage_report.rb
 lib/tasks/multiverse.rake