From 0f92cd592f56798182ac110c4bdb6487385c5934 Mon Sep 17 00:00:00 2001
From: silas <95582913+silas-x@users.noreply.github.com>
Date: Tue, 18 Oct 2022 18:33:43 +0100
Subject: [PATCH] disable secrets and report on all vulns

---
 .github/workflows/ci-dependency-scan.yml | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci-dependency-scan.yml b/.github/workflows/ci-dependency-scan.yml
index 6548f149..d2d9fd21 100644
--- a/.github/workflows/ci-dependency-scan.yml
+++ b/.github/workflows/ci-dependency-scan.yml
@@ -2,26 +2,36 @@ name: Dependency Security Scan
 
 on:
   pull_request: 
-    branches: 'main'
+    branches: ['main']
   push:
 
 jobs:
   trivy:
     name: Dependency Scan
     runs-on: ubuntu-latest
-
     if: (github.actor != 'dependabot[bot]')
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      # Fail the job on high/critical vulnerabiliies with fix available
-      - name: Scan Dependencies and secrets
+      # Report all vulnerabilities in CI output
+      - name: Report on all vulnerabilities
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           ignore-unfixed: true
+          hide-progress: true
+          security-checks: 'vuln' # disable secrets scanning until public
           format: 'table'
-          severity: 'HIGH,CRITICAL'
+          
+      # Fail the job on critical vulnerabiliies with fix available
+      - name: Fail on critical vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          hide-progress: true
+          security-checks: 'vuln' # disable secrets scanning until public
+          format: 'table'
+          severity: 'CRITICAL'
           exit-code: '1'