Fail trivy for high and critical

sandhi18 · sandhi18 · commit 0321931f30e8 · 2026-02-17T15:06:50.000+05:30
Signed-off-by: sandhi &lt;sagarwal@progress.com&gt;
diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
@@ -101,6 +101,11 @@ on:
         required: false
         type: boolean
         default: true
+      trivy-fail-on-high-critical:
+        description: 'Fail pipeline if Trivy finds HIGH or CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: true
         
       build:
         description: 'CI Build (language-specific)'
@@ -715,6 +720,7 @@ jobs:
     needs: checkout
     with:
       version: ${{ inputs.version }}
+      fail-on-high-critical: ${{ inputs.trivy-fail-on-high-critical }}
   
     # run-srcclr:
     #   if: ${{ inputs.perform-srcclr-scan == true }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -15,6 +15,11 @@ on:
         required: false
         type: string
         default: '1.0.0'
+      fail-on-high-critical:
+        description: 'Fail the build if HIGH or CRITICAL vulnerabilities are found'
+        required: false
+        type: boolean
+        default: true
 
 jobs:
   trivy:
@@ -67,14 +72,16 @@ jobs:
           # name: trivy-report-${{ github.event.repository.name }}-${{ github.ref_name }}-${{ inputs.version }}-$(date +'%Y%m%d')-text
           path: trivy-report.txt
           retention-days: 30
-          #   - name: Fail build on High/Criticial Vulnerabilities
-        #     uses: aquasecurity/trivy-action@master
-        #     with:
-        #       scan-type: "fs"
-        #       format: table
-        #       scan-ref: .
-        #       severity: HIGH,CRITICAL
-        #       ignore-unfixed: true
-        #       exit-code: 1
-        #       # On a subsequent call to the action we know trivy is already installed so can skip this
-        #       skip-setup-trivy: true
+
+      - name: Fail build on High/Critical Vulnerabilities
+        if: ${{ inputs.fail-on-high-critical }}
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          format: table
+          scan-ref: .
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: 1
+          # On a subsequent call to the action we know trivy is already installed so can skip this
+          skip-setup-trivy: true
