From 97290c88e3bbfbdb71bc9fabda365c5ee4fe614b Mon Sep 17 00:00:00 2001 From: zircote Date: Thu, 2 Jul 2026 20:48:58 -0400 Subject: [PATCH 1/2] fix(reusable-trivy): sparse-checkout .trivyignore for the image scan gate The image job's fail-closed Trivy scan never checked out the caller repo, so Trivy's own default .trivyignore auto-discovery (which the image scan type honors just like fs scans) had nothing to find. A repo had no way to document an accepted, unfixable base-image CVE (e.g. a Debian glibc issue) without the gate blocking every future push indefinitely. Sparse-checkout only .trivyignore, not a full checkout, so this doesn't also pull in a caller's root-level trivy.yaml and silently couple that fs/license-scan config to this unrelated image gate. --- .github/workflows/reusable-trivy.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index 3423ff4..95571b8 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -158,6 +158,22 @@ jobs: actions: read packages: read steps: + # Trivy's --ignorefile flag defaults to ".trivyignore" in the working + # directory for every scan type, image included. Without a checkout + # here, the job's cwd never has the caller repo's .trivyignore, so a + # repo has no way to document an accepted, unfixable base-image CVE + # (e.g. a Debian `` glibc issue) without the gate blocking + # every future push indefinitely. Sparse-checkout only that one file — + # a full checkout would also auto-load a root-level trivy.yaml (per the + # iac-license job's own config comment below), silently coupling that + # fs/license-scan config to this unrelated image gate. + - name: Sparse checkout .trivyignore + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + sparse-checkout: | + .trivyignore + sparse-checkout-cone-mode: false + # image-ref is a ghcr.io reference by digest (see the usage comment at # the top of this file). `permissions: packages: read` alone does not # authenticate the docker/trivy pull for a private package - confirmed From 43c0813fb793273899605a1c45d0321e0eecc3ab Mon Sep 17 00:00:00 2001 From: zircote Date: Thu, 2 Jul 2026 20:55:58 -0400 Subject: [PATCH 2/2] fix(reusable-trivy): correct 'below' to 'above' in checkout comment The referenced iac-license job comment precedes the image job in this file, not follows it. Flagged by Copilot review on PR #47. --- .github/workflows/reusable-trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index 95571b8..abf3e39 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -165,7 +165,7 @@ jobs: # (e.g. a Debian `` glibc issue) without the gate blocking # every future push indefinitely. Sparse-checkout only that one file — # a full checkout would also auto-load a root-level trivy.yaml (per the - # iac-license job's own config comment below), silently coupling that + # iac-license job's own config comment above), silently coupling that # fs/license-scan config to this unrelated image gate. - name: Sparse checkout .trivyignore uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0