feat(linters): add trivy_secret

[BestChinchilla]

nvim-lint already have trivy linter, but it only scans for misconfig, this PR adding secret scanner functionality to make more safer development process

POC:

[mfussenegger]

Would it be possible and make sense to extend the existing trivy linter to check both?

cc @pbnj @bobsrac

[pbnj]

Would it be possible and make sense to extend the existing trivy linter to check both?

It is possible to run multiple scanners in one go, like trivy --scanners vuln,secret,misconfig,license.

The question becomes what if a user only wants to run one or the other scanner?

---

Update:

According to trivy config file reference, it is possible to configure --scanners via trivy.yaml config file, like:

scan:
  scanners:
    - vuln
    - secret
    - misconfig
    - license

I tested this locally and it seems to work as expected:

• Without trivy.yaml; note the Vulnerabilities and Secrets (default scanners) table headings in the Report Summary output:

% trivy fs .
2025-05-21T08:39:35-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-21T08:39:35-07:00       INFO    [secret] Secret scanning is enabled
2025-05-21T08:39:35-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-21T08:39:35-07:00       INFO    [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-21T08:39:35-07:00       INFO    Number of language-specific files       num=0
2025-05-21T08:39:35-07:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]
2025-05-21T08:39:35-07:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│   -    │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

• With the above trivy.yaml; note Licenses, Secrets, Misconfigurations, and Vulnerabilities table headings in the Report Summary output:

% trivy fs .
2025-05-21T08:39:49-07:00       INFO    Loaded  file_path="trivy.yaml"
2025-05-21T08:39:49-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-21T08:39:49-07:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-05-21T08:39:49-07:00       INFO    [secret] Secret scanning is enabled
2025-05-21T08:39:49-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-21T08:39:49-07:00       INFO    [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-21T08:39:49-07:00       INFO    [license] License scanning is enabled
2025-05-21T08:39:49-07:00       INFO    Number of language-specific files       num=0
2025-05-21T08:39:49-07:00       INFO    Detected config files   num=0
2025-05-21T08:39:49-07:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[misconfig vuln]
2025-05-21T08:39:49-07:00       INFO    [report] No issues detected with scanner(s).    scanners=[license secret]

Report Summary

┌────────┬──────┬──────────┬─────────┬───────────────────┬─────────────────┐
│ Target │ Type │ Licenses │ Secrets │ Misconfigurations │ Vulnerabilities │
├────────┼──────┼──────────┼─────────┼───────────────────┼─────────────────┤
│   -    │  -   │    -     │    -    │         -         │        -        │
└────────┴──────┴──────────┴─────────┴───────────────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

This approach gives users the flexibility to configure trivy uniquely for each project.

[BestChinchilla]

I can try adding more if conditions for each of the scanners, but I don't write in Lua, so it might not be exactly best practice code :D