fix(security-scan): trivy-fs gate fails on LOW findings, contradicting its documented CRITICAL/HIGH policy#323
Open
seonghobae wants to merge 1 commit into
Open
fix(security-scan): trivy-fs gate fails on LOW findings, contradicting its documented CRITICAL/HIGH policy#323seonghobae wants to merge 1 commit into
seonghobae wants to merge 1 commit into
Conversation
…s documented The trivy-fs job documents itself as failing on FIXABLE CRITICAL/HIGH findings, but trivy-action ignores the severity input when building an unrestricted SARIF report: it rescans with ALL severities and exit-code=1 then fails on any LOW/MEDIUM finding (e.g. Dockerfile DS-0026 HEALTHCHECK, k8s KSV-0011/0015 resource limits). Result: the gate blocks every PR in a repo on LOW findings the policy header says are not gating. limit-severities-for-sarif: true makes the SARIF build honor the configured CRITICAL,HIGH severity so the exit code matches the documented policy. Verified with trivy 0.70.0 (the action's pinned version) against ContextualWisdomLab/naruon: CRITICAL/HIGH-only scan exits 0 on a hardened branch while the all-severities scan exits 1 on LOW-only findings. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
The
trivy-fsjob's own header documents: “trivy-fs HARD repo-wide — fails on FIXABLE CRITICAL/HIGH findings.” Buttrivy-actionignores theseverityinput when building an unrestricted SARIF report — the run log showsBuilding SARIF report with all severities— soexit-code: "1"fires on any severity. In practice the gate blocks every PR in a repo on LOW findings the policy explicitly does not gate (observed inContextualWisdomLab/naruon:DS-0026Dockerfile HEALTHCHECK LOW ×4 andKSV-0011/0015k8s resource limits LOW/MEDIUM fail the job even after all CRITICAL/HIGH findings are fixed).Evidence (trivy 0.70.0, the action's pinned version, run against naruon)
--severity HIGH,CRITICAL --ignore-unfixedon hardened branch--ignore-unfixed(what the SARIF build actually runs)Downstream effect:
trivy-fsred →opencode-reviewfails as a consequence → auto-approve/merge scheduler never proceeds → org-wide merge stall.Fix (one input)
limit-severities-for-sarif: trueon the trivy-action step — the SARIF build then honors the configuredCRITICAL,HIGH, making the exit code match the documented policy. (Trade-off: SARIF uploaded to code-scanning contains only CRITICAL/HIGH rows; LOW/MEDIUM visibility can come from a separate non-gating scan if wanted.)🤖 Generated with Claude Code