chore(trivy): add options according to TRG 8.04

eclipse-tractusx/portal#467
eclipse-tractusx · Nov 13, 2024 · febe62a · febe62a
1 parent 1938b28
commit febe62a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/.github/workflows/trivy-main.yml b/.github/workflows/trivy-main.yml
@@ -60,6 +60,9 @@ jobs:
           format: 'sarif'
           output: 'trivy-results1.sarif'
           vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          exit-code: '1' # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
@@ -92,6 +95,10 @@ jobs:
           format: 'sarif'
           output: 'trivy-results2.sarif'
           vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          hide-progress: false
+          exit-code: '1' # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -60,6 +60,9 @@ jobs:
           format: 'sarif'
           output: 'trivy-results1.sarif'
           vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          exit-code: '1' # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
@@ -92,6 +95,10 @@ jobs:
           format: 'sarif'
           output: 'trivy-results2.sarif'
           vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          hide-progress: false
+          exit-code: '1' # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()