build: exclude maven2 artifact repo checkout from Trivy scan (#252)

The maven2 directory is a transient checkout of the artifact repository
used only during deployment. Its dependencies (e.g., fast-xml-parser in
the pruner tool) are not part of liboscal-java and should be scanned in
the maven2 repository instead.

Author: david-waltermire

.github/workflows/build.yml

@@ -211,8 +211,8 @@ jobs:
         format: 'sarif'
         output: 'trivy-results.sarif'
         severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
-        # Exclude submodule (has its own security scanning in upstream repo)
-        skip-dirs: 'oscal'
+        # Exclude submodule and maven2 artifact repo checkout (have their own security scanning)
+        skip-dirs: 'oscal,maven2'
     - name: Trivy Summary
       if: ${{ !inputs.skip_code_scans }}
       run: |