Skip to content

fix(security-scan): trivy-fs gate fails on LOW findings, contradicting its documented CRITICAL/HIGH policy#323

Open
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-fs-honor-severity-gate
Open

fix(security-scan): trivy-fs gate fails on LOW findings, contradicting its documented CRITICAL/HIGH policy#323
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-fs-honor-severity-gate

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Bug

The trivy-fs job's own header documents: “trivy-fs HARD repo-wide — fails on FIXABLE CRITICAL/HIGH findings.” But trivy-action ignores the severity input when building an unrestricted SARIF report — the run log shows Building SARIF report with all severities — so exit-code: "1" fires on any severity. In practice the gate blocks every PR in a repo on LOW findings the policy explicitly does not gate (observed in ContextualWisdomLab/naruon: DS-0026 Dockerfile HEALTHCHECK LOW ×4 and KSV-0011/0015 k8s resource limits LOW/MEDIUM fail the job even after all CRITICAL/HIGH findings are fixed).

Evidence (trivy 0.70.0, the action's pinned version, run against naruon)

Scan Result
--severity HIGH,CRITICAL --ignore-unfixed on hardened branch exit 0, clean
all-severities --ignore-unfixed (what the SARIF build actually runs) exit 1 — only LOW/MEDIUM findings

Downstream effect: trivy-fs red → opencode-review fails as a consequence → auto-approve/merge scheduler never proceeds → org-wide merge stall.

Fix (one input)

limit-severities-for-sarif: true on the trivy-action step — the SARIF build then honors the configured CRITICAL,HIGH, making the exit code match the documented policy. (Trade-off: SARIF uploaded to code-scanning contains only CRITICAL/HIGH rows; LOW/MEDIUM visibility can come from a separate non-gating scan if wanted.)

🤖 Generated with Claude Code

…s documented

The trivy-fs job documents itself as failing on FIXABLE CRITICAL/HIGH
findings, but trivy-action ignores the severity input when building an
unrestricted SARIF report: it rescans with ALL severities and exit-code=1
then fails on any LOW/MEDIUM finding (e.g. Dockerfile DS-0026 HEALTHCHECK,
k8s KSV-0011/0015 resource limits). Result: the gate blocks every PR in a
repo on LOW findings the policy header says are not gating.

limit-severities-for-sarif: true makes the SARIF build honor the configured
CRITICAL,HIGH severity so the exit code matches the documented policy.

Verified with trivy 0.70.0 (the action's pinned version) against
ContextualWisdomLab/naruon: CRITICAL/HIGH-only scan exits 0 on a hardened
branch while the all-severities scan exits 1 on LOW-only findings.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant