fix(ci): limit Trivy SARIF severities to CRITICAL,HIGH (#101)

marevol · web-flow · commit e86e5d144c0c · 2026-05-21T10:37:57.000+09:00
Without `limit-severities-for-sarif: true`, the trivy-action overrides `TRIVY_SEVERITY` to all severities when `format: sarif`, which causes `exit-code: 1` to fire on MEDIUM/LOW findings as well — the explicit `severity: CRITICAL,HIGH` input is effectively ignored. The v2.0.0a0 build went red on a MEDIUM idna CVE-2026-45409 for this reason; with the new flag, both the SARIF report and the exit-code gate honour the configured CRITICAL/HIGH filter.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -110,6 +110,11 @@ jobs:
           format: sarif
           output: trivy-results.sarif
           severity: "CRITICAL,HIGH"
+          # Without this, `format: sarif` causes trivy-action to override
+          # TRIVY_SEVERITY to include all severities ("Building SARIF report
+          # with all severities"), which makes `exit-code: 1` fire on
+          # MEDIUM/LOW findings too — defeating the `severity` filter.
+          limit-severities-for-sarif: true
           # Skip CVEs without an upstream fix.  Slim base images frequently
           # carry HIGH OS CVEs (libcap2, ncurses-bin, libudev1, ...) that
           # have no fixed Debian version yet — gating CI on these would mean
