diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index 3423ff4..abf3e39 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -158,6 +158,22 @@ jobs: actions: read packages: read steps: + # Trivy's --ignorefile flag defaults to ".trivyignore" in the working + # directory for every scan type, image included. Without a checkout + # here, the job's cwd never has the caller repo's .trivyignore, so a + # repo has no way to document an accepted, unfixable base-image CVE + # (e.g. a Debian `` glibc issue) without the gate blocking + # every future push indefinitely. Sparse-checkout only that one file — + # a full checkout would also auto-load a root-level trivy.yaml (per the + # iac-license job's own config comment above), silently coupling that + # fs/license-scan config to this unrelated image gate. + - name: Sparse checkout .trivyignore + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + sparse-checkout: | + .trivyignore + sparse-checkout-cone-mode: false + # image-ref is a ghcr.io reference by digest (see the usage comment at # the top of this file). `permissions: packages: read` alone does not # authenticate the docker/trivy pull for a private package - confirmed