nit on trivy workflow

brendan-kellam · brendan-kellam · commit e00bb68af6dd · 2026-04-14T14:05:12.000-07:00
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -44,28 +44,23 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}"
-          format: "json"
-          output: "trivy-results.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
-          # Only report vulns that have a fix available
-          ignore-unfixed: true
+          format: "table"
+          output: "trivy-results.txt"
           trivy-config: trivy.yaml
-
+ 
       - name: Check for vulnerabilities
         id: check
         run: |
-          VULN_COUNT=$(jq '[.Results[]?.Vulnerabilities // [] | .[] | select(.FixedVersion != null and .FixedVersion != "")] | length' trivy-results.json)
-          echo "Found $VULN_COUNT fixable vulnerabilities"
-          if [ "$VULN_COUNT" -gt 0 ]; then
+          if [ -s trivy-results.txt ] && grep -qE "Total: [1-9]" trivy-results.txt; then
             echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
           else
             echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
           fi
-
+ 
       - name: Upload scan results
         if: steps.check.outputs.has_vulnerabilities == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: trivy-results
-          path: trivy-results.json
+          path: trivy-results.txt
           retention-days: 30
diff --git a/trivy.yaml b/trivy.yaml
@@ -7,3 +7,11 @@ scan:
   pkg-types:
     - os
     - library
+ 
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+ 
+vulnerability:
+  ignore-unfixed: true
