Skip to content

Commit b5f19ea

Browse files
radicalkjaxclaude
andcommitted
ci: gate Trivy on HIGH/CRITICAL only (limit-severities-for-sarif)
The Trivy job failed even with zero HIGH/CRITICAL findings. Ground truth from the uploaded SARIF: 8 results, all LOW (rand/lru/rpassword advisories). In SARIF mode the trivy-action overrides the severity filter to all severities so the report is complete for code scanning, and exit-code: 1 then fires on ANY finding in it — including those LOW ones. limit-severities-for-sarif: true makes the HIGH,CRITICAL filter apply to the SARIF and the exit code, so the job gates only on HIGH/CRITICAL (currently 0) — the LOW rust-dep advisories are already tracked by cargo-audit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 417f455 commit b5f19ea

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

.github/workflows/container.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,12 @@ jobs:
8686
output: trivy.sarif
8787
severity: HIGH,CRITICAL
8888
exit-code: '1'
89+
# CRITICAL: in SARIF mode `severity` does NOT filter the report, and
90+
# `exit-code` then fires on ANY finding in it (including LOW). This
91+
# makes the severity filter apply to the SARIF + exit-code, so the
92+
# job gates only on HIGH/CRITICAL — not the LOW rust-dep advisories
93+
# (rand/lru/rpassword) which cargo-audit already tracks.
94+
limit-severities-for-sarif: true
8995
# Only fail on FIXABLE vulnerabilities — un-actionable upstream
9096
# base-OS CVEs (debian "wont-fix") can't be patched from here and are
9197
# picked up automatically when the distroless base is rebuilt.

0 commit comments

Comments
 (0)