My problem is that a trivy scan failed after I removed a secret file from GitHub.
In the https://github.com/bcgov/jag-crdp/ repository, I accidentally 'git push' a secret file called 'new_secret' into the branch 'feature/CEIS-1936'. I followed a tutorial https://rajeevpentyala.com/2023/08/15/step-by-step-using-bfg-repo-cleaner-tool-to-clean-up-the-git-history/ and then ran the command 'java -jar bfg.jar --delete-files new_secret jag-crdp-17'. After 'git push', the secret file 'new_secret' did not show in the branch commits' history(https://github.com/bcgov/jag-crdp/commits/feature/CEIS-1936).
C:\jag\bfg\jag-crdp-17>java -jar bfg.jar -delete-files new_secret jag-crdp-17
C:\jag\bfg\jag-crdp-17>git reflog expire --expire=now --all && git gc --prune=now --aggressive
C:\jag\bfg\jag-crdp-17>git push --force
However, a GitHub trivy scan action (https://github.com/bcgov/jag-crdp/actions/runs/6791645895) failed on trivy scan and the command 'aquasecurity/trivy-action@master' exits 1. The trivy scan failed not only on my current branch but also on all other branches.
I do not understand why trivy scan fails (I think the scan should only scan the jag-crdp-transmit-receiver image and the image has no HIGH/SEVERE vulnerabilities).
My question is: does the trivy also scan outside of the image and find the secret file in GitHub not being permanently removed from GitHub?
Thank you!
