store trivy scan config in a file

Storing trivy scan configuration in a file will ensure the same configuration
is used regardless if trivy is run as GitHub action or when trivy is used
locally.

Author: lavarou

.github/workflows/security-scan.yml

@@ -23,24 +23,20 @@ jobs:
         with:
           scan-type: fs
           scan-ref: ./php-agent
-          scanners: vuln,misconfig
-          skip-dirs: vendor
+          trivy-config: ./php-agent/trivy.yaml
           format: table
           exit-code: 1
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH,MEDIUM,LOW
 
       - name: Run Trivy in report mode
         # Only generate sarif when running nightly on the dev branch.
         if: ${{ github.event_name == 'schedule' }}
         uses: aquasecurity/[email protected]
         with:
           scan-type: fs
-          skip-dirs: vendor
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
           format: sarif
           output: trivy-results.sarif
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload sarif when running nightly on the dev branch.

trivy.yaml

@@ -0,0 +1,14 @@
+scan:
+  scanners: 
+    - vuln
+    - misconfig
+  skip-dirs: vendor
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true