Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Fix Trivy CI failures #438

Merged
merged 2 commits into from
Nov 13, 2023
Merged

Fix Trivy CI failures #438

merged 2 commits into from
Nov 13, 2023

Conversation

ian-noaa
Copy link
Collaborator

@ian-noaa ian-noaa commented Nov 9, 2023
edited
Loading

Now that we have dependabot to keep our GitHub Actions up-to-date, switch to using a specific Trivy release.

Additionally, the latest Trivy release fixed a bug that was hiding a misconfiguration in our pipelines. For some reason, the GitHub Action Trivy publishes has decided to diverge from its CLI tool's behavior and ignore the severity: CRITICAL,HIGH configuration unless the limit-severities-for-sarif: true option is also set. When coupled with the exit-code: 1 config option we had set, this meant Trivy would exit with an error code of 1 when it found any vulnerability, not just a critical or high vulnerability like we were anticipating.

@ian-noaa ian-noaa self-assigned this Nov 9, 2023
@ian-noaa ian-noaa linked an issue Nov 9, 2023 that may be closed by this pull request
Trivy security scan is erroneously failing #437
Closed
@ian-noaa
Switch to a specific release of our trivy CI action
deefbe8 
We now have dependabot to help keep up with updates so it's safer to
track a released version. I'm also hoping using a particular release
will resolve a CI failure we've been seeing.
@ian-noaa
Enable severity limiting for Trivy's sarif output
22d2d73 
For some reason the Trivy GitHub action has decided to ignore the
severity configuration unless also given the
"limit-severities-for-sarif" config. Trivy v0.14 fixed a bug that was
hiding the return value. However, this meant that Trivy was now
returning as failed for any low and medium severities.
@ian-noaa ian-noaa force-pushed the 437-trivy-security-scan-is-erroneously-failing branch from 8bc7ae3 to 22d2d73 Compare November 9, 2023 19:43
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 9, 2023

Code Coverage

Package Line Rate Branch Rate Health
unified_graphics 80% 68%
unified_graphics.etl 97% 96%
utils.s3 68% 69%
Summary 85% (363 / 429) 82% (85 / 104)

Minimum allowed line rate is 60%

@ian-noaa ian-noaa changed the title Switch to a specific release of our trivy CI action Fix Trivy CI failures Nov 9, 2023
@ian-noaa ian-noaa requested a review from esheehan-gsl November 9, 2023 20:03
@esheehan-gsl esheehan-gsl merged commit e64f501 into main Nov 13, 2023
13 checks passed
@esheehan-gsl esheehan-gsl deleted the 437-trivy-security-scan-is-erroneously-failing branch November 13, 2023 16:23
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@esheehan-gsl esheehan-gsl esheehan-gsl approved these changes

Assignees

@ian-noaa ian-noaa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trivy security scan is erroneously failing
2 participants
@ian-noaa @esheehan-gsl