diff --git a/.github/workflows/trivy-main.yml b/.github/workflows/trivy-main.yml index 0f307c5..1abce37 100644 --- a/.github/workflows/trivy-main.yml +++ b/.github/workflows/trivy-main.yml @@ -61,6 +61,9 @@ jobs: output: "trivy-results1.sarif" vuln-type: "os,library" timeout: "3600s" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 @@ -93,6 +96,10 @@ jobs: format: "sarif" output: "trivy-results2.sarif" vuln-type: "os,library" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + hide-progress: false + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always() @@ -126,6 +133,10 @@ jobs: output: "trivy-results3.sarif" vuln-type: "os,library" skip-dirs: "docs/" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + hide-progress: false + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always() diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e2b31f3..04a82bc 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -63,6 +63,9 @@ jobs: vuln-type: "os,library" skip-dirs: "docs/" timeout: "3600s" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 @@ -95,6 +98,10 @@ jobs: format: "sarif" output: "trivy-results2.sarif" vuln-type: "os,library" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + hide-progress: false + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always() @@ -127,6 +134,10 @@ jobs: format: "sarif" output: "trivy-results3.sarif" vuln-type: "os,library" + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + hide-progress: false + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always()