refactor(trivy): rename .trivyignore.yml -> .trivyignore.yaml

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: GitHub Actions Community Forum
-    url: https://github.community/t5/GitHub-Actions/bd-p/actions
+    url: https://github.com/orgs/community/discussions/
     about: Please ask questions about GitHub Actions here.
   - name: GitHub Pages help
     url: https://help.github.com/en/github/working-with-github-pages
-    about: GitHub Pages documentaion here.
+    about: GitHub Pages documentation here.

.github/renovate.json5

@@ -2,17 +2,26 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [
     "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "security:openssf-scorecard",
     ":disableDependencyDashboard",
+    ":docker",
     ":disableRateLimiting",
     ":enableVulnerabilityAlertsWithLabel(security)",
-    "helpers:pinGitHubActionDigestsToSemver",
-    "security:openssf-scorecard",
   ],
+  "git-submodules": {
+    enabled: true,
+  },
   labels: [
     "renovate",
     "renovate/{{replace '.*/' '' depName}}",
     "renovate/{{updateType}}",
   ],
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["before 6am on Sunday"],
+  },
   packageRules: [
     {
       matchUpdateTypes: ["major"],

.github/workflows/markdown-check.yml

@@ -1,14 +1,8 @@
 name: markdown-check
 
 on:
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - "**.md"
-      - .github/workflows/markdown-check.yml
-      - .markdownlint.yml
   push:
-    branches:
+    branches-ignore:
       - main
     paths:
       - "**.md"

.github/workflows/mega-linter.yml

@@ -13,9 +13,6 @@ jobs:
   build:
     name: MegaLinter
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      statuses: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.gitignore

@@ -1,2 +1,5 @@
 # pre-commit configuration file
 .pre-commit-config.yaml
+
+# Lychee cache
+.lycheecache

.mega-linter.yml

@@ -6,6 +6,7 @@ BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects
 DISABLE_LINTERS:
   - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead
   - SPELL_CSPELL
+  - TERRAFORM_TERRASCAN # Hard to configure - no documentation of the config file
 
 # Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL
 EMAIL_REPORTER: false
@@ -32,10 +33,9 @@ REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7
 # Do not leave debug code in production, Insecure URL
 REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138
 
-# Communication Over HTTP
-REPOSITORY_KICS_ARGUMENTS: --exclude-queries 2e8d4922-8362-4606-8c14-aa10466a1ce3
+REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yml --severity HIGH,CRITICAL
+REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN

Dockerfile

@@ -1,4 +1,4 @@
-# kics-scan disable=fd54f200-402c-4333-a5a4-36ef6709af2f,d3499f6d-1651-41bb-a9a7-de925fea487b
+# kics-scan disable=fd54f200-402c-4333-a5a4-36ef6709af2f
 # checkov:skip=CKV_DOCKER_3: Ensure that a user for the container has been created
 # checkov:skip=CKV2_DOCKER_1: Ensure that sudo isn't used
 

entrypoint.sh

@@ -43,7 +43,6 @@ print_info() {
 # Remove all added files or changed /etc/hosts entry
 cleanup() {
   if [ -n "${PAGES_PATH}" ]; then
-    # Ignore DevSkim - Accessing localhost could indicate debug code, or could hinder scaling.
     $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN}  # Created by my-broken-link-checker/d\" /etc/hosts || true"
     $sudo_cmd caddy stop &> /dev/null
     [ -f "${CADDYFILE}" ] && rm "${CADDYFILE}"