From 209adacb6e2789ab6c16b3a49d90fe0c808f5602 Mon Sep 17 00:00:00 2001
From: Shinsuke Sugaya <shinsuke@apache.org>
Date: Thu, 21 May 2026 10:21:50 +0900
Subject: [PATCH] fix(ci): limit Trivy SARIF severities to CRITICAL,HIGH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without `limit-severities-for-sarif: true`, the trivy-action overrides
`TRIVY_SEVERITY` to all severities when `format: sarif`, which causes
`exit-code: 1` to fire on MEDIUM/LOW findings as well — the explicit
`severity: CRITICAL,HIGH` input is effectively ignored.

The v2.0.0a0 build went red on a MEDIUM idna CVE-2026-45409 for this
reason; with the new flag, both the SARIF report and the exit-code gate
honour the configured CRITICAL/HIGH filter.
---
 .github/workflows/docker.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f2efdd52..b8b88064 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -110,6 +110,11 @@ jobs:
           format: sarif
           output: trivy-results.sarif
           severity: "CRITICAL,HIGH"
+          # Without this, `format: sarif` causes trivy-action to override
+          # TRIVY_SEVERITY to include all severities ("Building SARIF report
+          # with all severities"), which makes `exit-code: 1` fire on
+          # MEDIUM/LOW findings too — defeating the `severity` filter.
+          limit-severities-for-sarif: true
           # Skip CVEs without an upstream fix.  Slim base images frequently
           # carry HIGH OS CVEs (libcap2, ncurses-bin, libudev1, ...) that
           # have no fixed Debian version yet — gating CI on these would mean