From 45518dc6c35ad306fd8cdb05f147b1d697470e06 Mon Sep 17 00:00:00 2001
From: Manuel Puchta <manuel.puchta@digitalservice.bund.de>
Date: Mon, 14 Oct 2024 15:11:22 +0200
Subject: [PATCH] Document trify-action update

---
 .github/workflows/scan.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index f8a89b8..4eec7b8 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -28,12 +28,14 @@ jobs:
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          # specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror
+          # Specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror.
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
         with:
           scanners: "vuln"
           scan-type: "fs"
           format: "sarif"
+          # By default SARIF format enforces output of all vulnerabilities regardless of configured severities.
+          # To override this set limit-severities-for-sarif to true.
           limit-severities-for-sarif: true
           output: "trivy-results.sarif"
           severity: "CRITICAL,HIGH"