fix: trivy scan should exit with failure code#310
Conversation
alpe
requested review from
dannyharnik,
kfirtoledo and
vMaroon
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s composite GitHub Action used for container image vulnerability scanning so that Trivy findings (HIGH/CRITICAL) will fail the workflow, preventing releases/builds from succeeding when severe vulnerabilities are detected.
Changes:
- Add Trivy’s
--exit-code 1flag to make the scan fail the job when matching vulnerabilities are found.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Scan image | ||
| run: | | ||
| trivy image --severity HIGH,CRITICAL --no-progress ${{ inputs.image }} | ||
| trivy image --severity HIGH,CRITICAL --exit-code 1 --no-progress ${{ inputs.image }} |
There was a problem hiding this comment.
The image reference is injected into a bash command without quoting. If the upstream workflow ever passes a tag/name containing shell metacharacters (e.g., from GITHUB_REF), this can break the command or enable shell injection. Quote the image input when invoking trivy (and consider similar quoting in other composite actions).
| trivy image --severity HIGH,CRITICAL --exit-code 1 --no-progress ${{ inputs.image }} | |
| trivy image --severity HIGH,CRITICAL --exit-code 1 --no-progress "${{ inputs.image }}" |
Not sure if it runs for information purpose only but without the exit code param, it does not fail the build.