CCM-13343: Trivy Package and Library Scans Skip node Modules

.github/workflows/stage-1-commit.yaml

@@ -146,21 +146,38 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  trivy:
-    name: "Trivy Scan"
+  trivy-iac:
+    name: "Trivy IaC Scan"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
+      - name: "Perform Setup"
+        uses: ./.github/actions/setup
+      - name: "Trivy IaC Scan"
+        uses: ./.github/actions/trivy-iac
+  trivy-package:
+    name: "Trivy Package Scan"
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "Trivy Scan"
-        uses: ./.github/actions/trivy
+      - name: "Trivy Package Scan"
+        uses: ./.github/actions/trivy-package
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.tool-versions

@@ -13,8 +13,8 @@ python 3.13.2
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33  # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6  # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/anchore/grype v0.104.3@sha256:d340f4f8b3b7e6e72a6c9c0152f25402ed8a2d7375dba1dfce4e53115242feb6  # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.39.0@sha256:6f13bb010923c33fb197047c8f88888e77071bd32596b3f605d62a133e493ce4 # SEE: https://github.com/anchore/syft/pkgs/container/syft
 # docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc

docs/adr/assets/ADR-003/examples/golang/go.mod

@@ -5,7 +5,7 @@ toolchain go1.24.1
 
 require (
 	github.com/go-resty/resty/v2 v2.7.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt v5.3.0+incompatible
 )
 
 require golang.org/x/net v0.38.0 // indirect

scripts/config/trivy.yaml

@@ -4,3 +4,4 @@ exit-code: 1                  # When issues are found
 scan:
   skip-files:
     - "**/.terraform/**/*"
+    - "**/node_modules/**/*"