github · pelikhan · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -66,26 +66,3 @@ jobs:
           sarif_file: govulncheck-results.sarif
           category: govulncheck
 
-  trivy:
-    name: Trivy Vulnerability Scanner
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
-
-      - name: Upload Trivy SARIF
-        uses: github/codeql-action/upload-sarif@4248455a6f2335bc3b7a8a62932f000050ec8f13 # v3
-        if: always()
-        with:
-          sarif_file: trivy-results.sarif
-          category: trivy
diff --git a/scratchpad/github-actions-security-best-practices.md b/scratchpad/github-actions-security-best-practices.md
@@ -419,26 +419,7 @@ permissions:
 
 ### Dependency Scanning
 
-```yaml
-# ✅ RECOMMENDED: Regular dependency scanning
-name: Security Scan
-on:
-  schedule:
-    - cron: '0 0 * * 0'  # Weekly
-  workflow_dispatch:
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@sha
-
-      - name: Run Trivy
-        uses: aquasecurity/trivy-action@sha
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-```
+Use language-native tools (`govulncheck` for Go, `npm audit` for Node.js, etc.) to scan for known vulnerabilities in dependencies.
 
 ### Maintaining Pinned Actions