Bahmni uses Trivy in the CI/CD Pipelines at various stages - from writing the code -> pushing it to GitHub -> building Images to when the code is running the Kubernetes Cluster
Scanning Vulnerabilities, Secrets, Container Images, Kubernetes Cluster and Secrets with Trivy
trivy-secret.yaml file, which can be put in the project root location. Custom rules are defined in this file. This file can be used to add secrets or files that we want to skip/allow during Trivy's scan for secrets. To skip/allow a particular secret add that secret in the regex field. We can give an id or description of that secret as well. To skip/allow a file, use the path field.
A good blog writeup by Umair Fayaz from the Bahmni team on Trivy scans and related security tools in opensource: https://medium.com/@omayrfayaz/security-agents-for-open-source-projects-d5f5405d5048