From b54dbbf362c4c8ba17125c403d57e393f42e0684 Mon Sep 17 00:00:00 2001 From: Akpolo Ogagaoghene Prince Date: Mon, 1 Jun 2026 22:12:27 +0100 Subject: [PATCH] fix(ci): make the Trivy CRITICAL gate fail only on critical vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "CRITICAL - fail" Trivy step uses format: sarif. With sarif output the trivy-action builds the report with ALL severities ("Building SARIF report with all severities"), so the exit-code: 1 trips on any vulnerability present — the existing HIGH axios advisories — rather than on CRITICAL findings as the step name and severity: CRITICAL intend. There are no critical vulnerabilities in the image (the SARIF tops out at HIGH), so the staging deploy fails on a gate that should have passed. Add limit-severities-for-sarif: 'true' so the scan and the exit-code honour the severity filter and the gate fails only on genuine CRITICAL findings. HIGH advisories are still surfaced by the warn-only step above. --- .github/workflows/deploy-staging.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 1d7027e1..91840b99 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -78,6 +78,12 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL' exit-code: '1' + # Without this, trivy-action builds the SARIF with ALL severities and + # the exit-code then trips on any vulnerability (e.g. the existing + # HIGH axios advisories) — not just CRITICAL as the step intends. + # Limiting the report to the requested severity makes the gate fail + # only on genuine CRITICAL findings. + limit-severities-for-sarif: 'true' trivyignores: '.trivyignore' - name: Upload Trivy scan results to GitHub Security tab