Merge pull request #1057 from broadinstitute/trivy-limit-severities-sarif

dpark01 · web-flow · commit 3aa0d448d462 · 2026-03-31T11:05:33.000-04:00
Enforce Trivy severity filter on SARIF output and fail CI on findings
diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml
@@ -36,6 +36,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
           exit-code: '0'
           ignore-unfixed: true
           trivyignores: '.trivyignore'
@@ -48,7 +49,7 @@ jobs:
           format: 'json'
           output: 'trivy-results.json'
           severity: 'CRITICAL,HIGH'
-          exit-code: '0'
+          exit-code: '1'
           ignore-unfixed: true
           trivyignores: '.trivyignore'
           ignore-policy: '.trivy-ignore-policy.rego'
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1020,6 +1020,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
           exit-code: '0'
           ignore-unfixed: true
           trivyignores: '.trivyignore'
@@ -1032,7 +1033,7 @@ jobs:
           format: 'json'
           output: 'trivy-results.json'
           severity: 'CRITICAL,HIGH'
-          exit-code: '0'
+          exit-code: '1'
           ignore-unfixed: true
           trivyignores: '.trivyignore'
           ignore-policy: '.trivy-ignore-policy.rego'
