openzipkin · codefromthecrypt · Feb 27, 2024
diff --git a/build-bin/README.md b/build-bin/README.md
@@ -12,6 +12,10 @@ On deploy:
 On deploy_bom:
 * The artifact `brave-bom` is deployed. Intentionally separate to allow a retry.
 
+We also include a [Trivy configuration](trivy.yaml) which works around its lack
+of support for maven-invoker-plugin. Run `./build-bin/trivy` from the project
+root to get a vulnerability assessment.
+
 [//]: # (Below here should be standard for all projects)
 
 ## Build Overview

diff --git a/build-bin/trivy b/build-bin/trivy
@@ -0,0 +1,6 @@
+#!/bin/sh -ue
+
+# This script deploys a master or release version.
+#
+# See [README.md] for an explanation of this and how CI should use it.
+trivy -c $(dirname "$0")/trivy.yaml repo .
diff --git a/build-bin/trivy.yaml b/build-bin/trivy.yaml
@@ -0,0 +1,7 @@
+# As of Feb 2024, Trivy has no plans to handle maven-invoker-plugin.
+# Skip to reduce noise about intentional tests against old versions.
+# https://github.com/aquasecurity/trivy/discussions/5787
+image:
+  skip-files:
+    - "**/src/it/*/pom.xml"
+    - "**/target/it/*/pom.xml"