Skip to content

ci(security): split trivy-fs severity into two steps#269

Merged
frecar merged 1 commit into
mainfrom
charmeleon/chore-268-trivy-fs-split-severity
May 24, 2026
Merged

ci(security): split trivy-fs severity into two steps#269
frecar merged 1 commit into
mainfrom
charmeleon/chore-268-trivy-fs-split-severity

Conversation

@frecar
Copy link
Copy Markdown
Owner

@frecar frecar commented May 24, 2026

Summary

  • Split the trivy-fs job's severity scan into two steps: CRITICAL gates merge (exit-code: 1), HIGH is annotation-only (exit-code: 0, if: always())
  • Same split applied to trivy-fs-nightly.yml so the policy is uniform across PR + scheduled triggers
  • Resolves the comment-vs-behavior gap noted in the previous single-step config

Issue: Closes #268

Why

The previous job's inline comment claimed:

CRITICAL + HIGH gate PR. Tightens over time as we drain the allowlist; widen severity if we want lower tiers in the gate later.

Combined with severity: "CRITICAL,HIGH" and exit-code: "1", the policy gated on BOTH severities (the exit-code applies to any finding matching the severity filter). For a "CRITICAL gates, HIGH informs" intent — which a sibling Python/uv-based service runs — the config was one step short.

This PR splits the step in two so:

  • CRITICAL findings hard-gate the merge
  • HIGH findings surface in the run log but do not gate

The if: always() on the HIGH step is load-bearing — without it, a CRITICAL failure would skip HIGH visibility entirely, which would actually weaken HIGH-finding reporting compared to the original single-step form.

Test plan

  • PR CI runs — verify the two-step trivy-fs job appears as two distinct steps in the GitHub Actions UI
  • CRITICAL step exits 0 (no current CRITICAL findings); HIGH step exits 0 (annotation-only)
  • ci-gate job remains green; needs: list still includes trivy-fs (single job name unchanged — splitting steps does not split the job)
  • Manually trigger trivy-fs-nightly via workflow_dispatch after merge; both steps run

Verification (post-merge):

gh workflow run "Trivy fs nightly sweep" -R frecar/epguides-api
gh run list -R frecar/epguides-api --workflow trivy-fs-nightly.yml --limit 1

No design surface

Mechanical replication of a two-step trivy gating pattern that's been deployed and validated in a sibling Python service. Public-repo discipline: the PR body intentionally avoids referencing internal cluster context.

@frecar
ci(security): split trivy-fs severity into two steps
581b183 
Replace the single-step `trivy-fs` job with a two-step pattern so the
policy matches its stated intent:

- CRITICAL findings hard-gate the merge (`exit-code: 1`)
- HIGH findings surface as annotations only (`exit-code: 0`, `if: always()`)

The previous `severity: "CRITICAL,HIGH"` + `exit-code: "1"` configuration
gated on BOTH severities (the `exit-code` applies to ANY finding matching
the `severity` filter), conflicting with the inline comment that claimed
HIGH was annotation-only.

`if: always()` on the HIGH step is load-bearing — without it, a CRITICAL
failure skips the HIGH-annotation step entirely, which would actually
weaken HIGH visibility relative to the previous single-step form.

Same split applied to `trivy-fs-nightly.yml` so the policy is uniform
across PR + scheduled triggers.

Closes #268
@frecar frecar merged commit 43edf85 into main May 24, 2026
8 checks passed
@frecar frecar deleted the charmeleon/chore-268-trivy-fs-split-severity branch May 24, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci(security): split trivy-fs severity into two steps

1 participant

@frecar