From 960a7a350aa3d3a5b27cac01333a62f93f4e78ea Mon Sep 17 00:00:00 2001
From: Luke Heath <luke@fleetdm.com>
Date: Mon, 4 Mar 2024 16:13:41 -0600
Subject: [PATCH] Remove tfsec workflow (#17354)

---
 .github/workflows/tfsec.yml                   | 48 -------------------
 .../{trivy_scan.yml => trivy-scan.yml}        |  4 +-
 2 files changed, 1 insertion(+), 51 deletions(-)
 delete mode 100644 .github/workflows/tfsec.yml
 rename .github/workflows/{trivy_scan.yml => trivy-scan.yml} (94%)

diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
deleted file mode 100644
index 37f535258b..0000000000
--- a/.github/workflows/tfsec.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: tfsec
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - '**.tf'
-  pull_request:
-    paths:
-      - '**.tf'
-  workflow_dispatch: # Manual dispatch
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
-    shell: bash
-
-permissions:
-  contents: read
-
-jobs:
-  tfsec:
-    permissions:
-      contents: read  # for actions/checkout to fetch code
-      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
-    name: tfsec sarif report
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Clone repo
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b 
-
-      - name: tfsec
-        uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 
-        with:
-          sarif_file: tfsec.sarif
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: tfsec.sarif  
diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy-scan.yml
similarity index 94%
rename from .github/workflows/trivy_scan.yml
rename to .github/workflows/trivy-scan.yml
index 3aca1a1102..6aff3d2ae0 100644
--- a/.github/workflows/trivy_scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -40,11 +40,9 @@ jobs:
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
-          scan-type: "fs"
-          ignore-unfixed: true
           format: "sarif"
           output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           trivyignores: ".trivyignore"
 
       - name: Upload Trivy scan results to GitHub Security tab