From d1742114f3047a7f2f06d65ed82606ffc26b43a2 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Mon, 6 Jul 2026 11:52:43 +0900 Subject: [PATCH] fix(security-scan): make trivy-fs gate honor CRITICAL/HIGH severity as documented The trivy-fs job documents itself as failing on FIXABLE CRITICAL/HIGH findings, but trivy-action ignores the severity input when building an unrestricted SARIF report: it rescans with ALL severities and exit-code=1 then fails on any LOW/MEDIUM finding (e.g. Dockerfile DS-0026 HEALTHCHECK, k8s KSV-0011/0015 resource limits). Result: the gate blocks every PR in a repo on LOW findings the policy header says are not gating. limit-severities-for-sarif: true makes the SARIF build honor the configured CRITICAL,HIGH severity so the exit code matches the documented policy. Verified with trivy 0.70.0 (the action's pinned version) against ContextualWisdomLab/naruon: CRITICAL/HIGH-only scan exits 0 on a hardened branch while the all-severities scan exits 1 on LOW-only findings. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J --- .github/workflows/security-scan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 908a07b0..f4075bf9 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -78,6 +78,10 @@ jobs: format: sarif output: trivy-results.sarif exit-code: "1" + # Without this, trivy-action rebuilds the SARIF scan with ALL + # severities and exit-code applies to any LOW/MEDIUM finding, + # contradicting the documented CRITICAL/HIGH-only gate above. + limit-severities-for-sarif: true - name: Upload Trivy SARIF to code scanning if: always() && hashFiles('trivy-results.sarif') != '' uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2