fix(ci): limit Trivy SARIF severities to CRITICAL,HIGH#101
Merged
Conversation
Without `limit-severities-for-sarif: true`, the trivy-action overrides `TRIVY_SEVERITY` to all severities when `format: sarif`, which causes `exit-code: 1` to fire on MEDIUM/LOW findings as well — the explicit `severity: CRITICAL,HIGH` input is effectively ignored. The v2.0.0a0 build went red on a MEDIUM idna CVE-2026-45409 for this reason; with the new flag, both the SARIF report and the exit-code gate honour the configured CRITICAL/HIGH filter.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
trivy vulnerability scanjob in.github/workflows/docker.ymlwas triggered by thev2.0.0a0tag push and failed withexit code 1, even though the only fixable finding was a MEDIUM severity CVE (CVE-2026-45409inidna 3.13).Root cause: when
format: sarifis used withoutlimit-severities-for-sarif: true,aquasecurity/trivy-actionoverridesTRIVY_SEVERITYto include every severity ("Building SARIF report with all severities" in the log) so that the SARIF uploaded to the GitHub Security tab is complete. The side-effect is thatexit-code: 1then evaluates findings of every severity — silently disabling the explicitseverity: "CRITICAL,HIGH"input.Change
Add
limit-severities-for-sarif: trueto the Trivy step so that:exit-code: 1fires only on CRITICAL/HIGH (which is the original intent).Test plan
mainand the next semver tag complete thetrivy vulnerability scanjob successfully.