diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 7a077b05..6fc42e27 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -134,6 +134,10 @@ jobs: format: sarif output: trivy-results.sarif exit-code: "1" + # Without this, trivy-action rebuilds the SARIF scan with ALL + # severities and exit-code applies to any LOW/MEDIUM finding, + # contradicting the documented CRITICAL/HIGH-only gate above. + limit-severities-for-sarif: true - name: Upload Trivy SARIF to code scanning if: always() && hashFiles('trivy-results.sarif') != '' uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2