feat: exclude trivy crds from resource filter

[seoyoungleeme]

Motivation

Closes #24969

Users integrating Trivy (Aqua Security) with their clusters often face a high volume of Custom Resources generated by the scanner (e.g., VulnerabilityReport, ConfigAuditReport, etc.).

Currently, these resources appear in the Argo CD application tree, which causes two main issues:

1. UI Clutter: The application view becomes crowded with metadata reports that are rarely managed via GitOps.
2. Performance: Monitoring these high-churn resources adds unnecessary load to the Argo CD controller and the Kubernetes API server.

Modifications

This PR adds aquasecurity.github.io API group and its associated report kinds to the coreExcludedResources list in util/settings/resources_filter.go.

• Added exclusion for aquasecurity.github.io resources (e.g., VulnerabilityReport, ClusterVulnerabilityReport, etc.).
• Added a unit test util/settings/resources_filter_trivy_test.go to verify the exclusion logic.

Verification

• Ran go test -v ./util/settings and confirmed that all tests passed.
• Verified that the new test case TestTrivyExclusions correctly identifies Trivy resources as excluded.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[blakepettersson]

This would be reasonable, but this is also technically a breaking change. I think a better place for this would be docs, where there is a recommendation to add these GVKs if you're using Trivy.

Perhaps for a 4.0 this might make sense?

[choejwoo]

I also agree with @blakepettersson .
Continuously adding product-specific CRDs to the core exclusion list would make Argo CD increasingly opinionated toward specific vendors or ecosystems, which is a maintainability concern.
As an example, it doesn’t seem scalable to require core changes whenever Trivy adds new report CRDs or when other tools introduce similar resources.
Given this, managing such cases via resource.exclusions seems more appropriate.

[crenshaw-dev]

We provide some "reasonable defaults" in the default resource.exclusions value today. We could consider adding these CRs to that list. But we'd want to communicate about it loudly, and maybe even wait until 4.0 to do that.