ci: fail scan on critical or high severity vulnerabilities

digitalservicebund · Nov 10, 2023 · a37e1fa · a37e1fa
1 parent b30f027
commit a37e1fa
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -58,8 +58,15 @@ jobs:
           image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
           format: "sarif"
           output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
-          exit-code: "1" # Fail the build!
+      - name: Check trivy results
+        run: |
+          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
+            echo "Vulnerabilities found"
+            exit 1
+          else
+            echo "No significant vulnerabilities found"
+            exit 0
+          fi
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..