From 096e24417134c820842b4e1a2152702984d13fd2 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Fri, 30 Aug 2024 12:54:21 +0000
Subject: [PATCH] ci: remove custom hack, add support for trivyignore

---
 .trivyignore.yaml | 7 +++++++
 Dockerfile        | 5 -----
 2 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 .trivyignore.yaml

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..3a7691f
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,7 @@
+secrets:
+  - id: gcp-service-account
+    paths:
+      - "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"
+  - id: private-key
+    paths:
+      - "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"
diff --git a/Dockerfile b/Dockerfile
index 5ab2cee..f567903 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,11 +33,6 @@ RUN curl -fsSL https://get.pulumi.com/ | sh -s -- --version $(pip show pulumi --
 # minimal pulumi
 RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true
 
-# Remove AWS keys from docstring to prevent trivy alerts later
-RUN sed -i -e 's/AKIA.*//' \
-    /venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/lightsail/bucket_access_key.py \
-    /venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/glue/connection.py
-
 # Now build the final runtime, incl. running rootless containers
 FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION}