Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key

Author: dkam

.github/workflows/ci.yml

@@ -43,6 +43,9 @@ jobs:
 
   scan_container:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for uploading SARIF results
+      contents: read
 
     steps:
       - name: Checkout code
@@ -58,6 +61,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
 
       - name: Upload Trivy results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

README.md

@@ -724,10 +724,10 @@ brew install trivy  # macOS
 
 # Build and scan image (CRITICAL and HIGH severity only, like CI)
 docker build -t clinch:local .
-trivy image --severity CRITICAL,HIGH clinch:local
+trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local
 
 # Scan only for fixable vulnerabilities
-trivy image --severity CRITICAL,HIGH --ignore-unfixed clinch:local
+trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local
 ```
 
 **CI/CD Integration:**