fix(ci): Trivy CRITICAL gate should fail only on critical vulns#1053
Merged
Conversation
…lities
The "CRITICAL - fail" Trivy step uses format: sarif. With sarif output the
trivy-action builds the report with ALL severities ("Building SARIF report with
all severities"), so the exit-code: 1 trips on any vulnerability present — the
existing HIGH axios advisories — rather than on CRITICAL findings as the step
name and severity: CRITICAL intend. There are no critical vulnerabilities in
the image (the SARIF tops out at HIGH), so the staging deploy fails on a gate
that should have passed.
Add limit-severities-for-sarif: 'true' so the scan and the exit-code honour the
severity filter and the gate fails only on genuine CRITICAL findings. HIGH
advisories are still surfaced by the warn-only step above.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Deploy Staging
CRITICAL - failTrivy step usesformat: sarif. With SARIF output the trivy-action builds the report with all severities (Building SARIF report with all severitiesin the logs), soexit-code: 1trips on any vulnerability present — the existing HIGHaxiosadvisories — rather than on CRITICAL findings as the step name andseverity: CRITICALintend.There are no critical vulnerabilities in the image (the uploaded SARIF tops out at HIGH: axios, minimatch, brace-expansion, etc.), so the deploy fails on a gate that should pass.
This was masked until now because the scan never actually ran (image-ref casing, #1050) — fixing that exposed the misconfigured gate.
Fix
Add
limit-severities-for-sarif: 'true'so the scan and theexit-codehonour theseverity: CRITICALfilter and the gate fails only on genuine CRITICAL findings. HIGH advisories are still surfaced by the warn-only step above.Verification
Deploy Staging is push-to-main only, so this runs on the post-merge run, not the PR. Change is limited to the workflow; it does not touch the PR-gating RemitLend CI.