chore: remove trivy (#22065)

Copilot · pelikhan · web-flow · commit 492682b0b5f6 · 2026-03-20T18:18:41.000-07:00
* Initial plan * chore: remove all uses and references to trivy Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/cfea477e-ce64-47b2-b393-49460ee42bec --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
diff --git a/.gitignore b/.gitignore
@@ -149,7 +149,6 @@ test-runs/
 gosec-report.json
 gosec-results.sarif
 govulncheck-results.sarif
-trivy-results.sarif
 
 # Generated action files - kept in .gitignore as build artifacts
 # Note: If workflows fail due to missing js/ files, these may need to be committed
diff --git a/DEVGUIDE.md b/DEVGUIDE.md
@@ -139,7 +139,7 @@ make clean  # Remove binaries, coverage files, security reports, etc.
 
 #### Run security scans
 ```bash
-make security-scan  # Run gosec, govulncheck, and trivy
+make security-scan  # Run gosec and govulncheck
 ```
 **When to use**: Before releases or when checking for vulnerabilities.
 
@@ -815,20 +815,18 @@ The project includes automated security scanning to detect vulnerabilities, code
 ### Running Security Scans Locally
 
 ```bash
-# Run all security scans (gosec, govulncheck, trivy)
+# Run all security scans (gosec, govulncheck)
 make security-scan
 
 # Run individual scans
 make security-gosec      # Go security linter
 make security-govulncheck # Go vulnerability database check
-make security-trivy       # Filesystem/dependency scanner (requires trivy)
 ```
 
 ### Security Scan Tools
 
 - **gosec**: Static analysis tool for Go that detects security issues in source code
 - **govulncheck**: Official Go tool that checks for known vulnerabilities in dependencies
-- **trivy**: Comprehensive scanner for filesystem vulnerabilities, misconfigurations, and secrets
 
 ### Interpreting Results
 
@@ -842,11 +840,6 @@ make security-trivy       # Filesystem/dependency scanner (requires trivy)
 - Indicates if vulnerable code paths are actually called
 - Update affected dependencies to resolve issues
 
-#### Trivy Results
-- Displays HIGH and CRITICAL severity findings
-- Covers Go dependencies, npm packages, and configuration files
-- Shows CVE details and available fix versions
-
 ### Suppressing False Positives
 
 #### Gosec
@@ -864,13 +857,6 @@ secret := "example" // Known test value
 - No inline suppression available
 - Update dependencies or document accepted risks in security review
 
-#### Trivy
-- Use `.trivyignore` file to exclude specific CVEs:
-```text
-# .trivyignore
-CVE-2023-XXXXX  # False positive: not exploitable in our usage
-```
-
 ### CI/CD Integration
 
 Security scans run automatically on:
diff --git a/Makefile b/Makefile
@@ -187,9 +187,9 @@ test-security:
 	go test -v -timeout=3m -run '^FuzzYAML|^FuzzTemplate|^FuzzInput|^FuzzNetwork|^FuzzSafeJob' ./pkg/workflow/...
 	@echo "✓ Security regression tests passed"
 
-# Security scanning with gosec, govulncheck, and trivy
+# Security scanning with gosec and govulncheck
 .PHONY: security-scan
-security-scan: security-gosec security-govulncheck security-trivy
+security-scan: security-gosec security-govulncheck
 	@echo "✓ All security scans completed"
 
 .PHONY: security-gosec
@@ -211,16 +211,6 @@ security-govulncheck:
 	govulncheck ./...
 	@echo "✓ Govulncheck complete"
 
-.PHONY: security-trivy
-security-trivy:
-	@echo "Running trivy filesystem scan..."
-	@if command -v trivy >/dev/null 2>&1; then \
-		trivy fs --severity HIGH,CRITICAL .; \
-	else \
-		echo "⚠ Trivy not installed. Install with: brew install trivy (macOS) or see https://aquasecurity.github.io/trivy/latest/getting-started/installation/"; \
-	fi
-	@echo "✓ Trivy scan complete"
-
 # Test JavaScript files
 .PHONY: test-js
 test-js: build-js
@@ -268,7 +258,7 @@ clean:
 	@# Remove SBOM files
 	rm -f sbom.spdx.json sbom.cdx.json
 	@# Remove security scan reports
-	rm -f gosec-report.json gosec-results.sarif govulncheck-results.sarif trivy-results.sarif
+	rm -f gosec-report.json gosec-results.sarif govulncheck-results.sarif
 	@# Remove downloaded logs (but keep .gitignore)
 	@if [ -d .github/aw/logs ]; then \
 		find .github/aw/logs -type f ! -name '.gitignore' -delete 2>/dev/null || true; \
@@ -810,10 +800,9 @@ help:
 	@echo "  lint-errors      - Lint error messages for quality compliance"
 	@echo "  check-file-sizes - Check Go file sizes and function counts (informational)"
 	@echo "  check-validator-sizes - Check *_validation.go files against the 768-line hard limit"
-	@echo "  security-scan    - Run all security scans (gosec, govulncheck, trivy)"
+	@echo "  security-scan    - Run all security scans (gosec, govulncheck)"
 	@echo "  security-gosec   - Run gosec Go security scanner"
 	@echo "  security-govulncheck - Run govulncheck for known vulnerabilities"
-	@echo "  security-trivy   - Run trivy filesystem scanner"
 	@echo "  actionlint       - Validate workflows with actionlint (depends on build)"
 	@echo "  validate-workflows - Validate compiled workflow lock files (depends on build)"
 	@echo "  install          - Install binary locally"
