Commit b5f19ea
ci: gate Trivy on HIGH/CRITICAL only (limit-severities-for-sarif)
The Trivy job failed even with zero HIGH/CRITICAL findings. Ground truth from
the uploaded SARIF: 8 results, all LOW (rand/lru/rpassword advisories). In
SARIF mode the trivy-action overrides the severity filter to all severities so
the report is complete for code scanning, and exit-code: 1 then fires on ANY
finding in it — including those LOW ones.
limit-severities-for-sarif: true makes the HIGH,CRITICAL filter apply to the
SARIF and the exit code, so the job gates only on HIGH/CRITICAL (currently 0) —
the LOW rust-dep advisories are already tracked by cargo-audit.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent 417f455 commit b5f19ea
1 file changed
Lines changed: 6 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
86 | 86 | | |
87 | 87 | | |
88 | 88 | | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
89 | 95 | | |
90 | 96 | | |
91 | 97 | | |
| |||
0 commit comments