You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running the Trivy Action (version 0.29.0) in a GitHub Actions workflow with severity: "CRITICAL,HIGH" specified, the action does not limit the scan results to the specified severities. Instead, it processes vulnerabilities of all severities (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL), as shown in the debug logs.
Running Trivy with options: trivy fs .
2024-11-22T17:09:37Z DEBUG No plugins loaded
2024-11-22T17:09:37Z DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-22T17:09:37Z DEBUG Cache dir dir="/home/runner/work/xxxxx/xxxx/.cache/trivy"
2024-11-22T17:09:37Z DEBUG Cache dir dir="/home/runner/work/xxxx/xxxx/.cache/trivy"
**2024-11-22T17:09:37Z DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]**
2024-11-22T17:09:37Z DEBUG Ignore statuses statuses=[0 1 2 4 5 6 7]
2024-11-22T17:09:37Z DEBUG DB update was skipped because the local DB is the latest
2024-11-22T17:09:37Z DEBUG DB info schema=2 updated_at=2024-11-21T18:16:43.86[357](https://github.com/xxxx/xxxx/actions/runs/11976974486/job/33393842565#step:5:378)7371Z next_update=2024-11-22T18:16:43.86357697Z downloaded_at=2024-11-22T00:07:56.61736953Z
2024-11-22T17:09:37Z DEBUG [pkg] Package types types=[os library]
2024-11-22T17:09:37Z DEBUG [pkg] Package relationships relationships=[unknown root direct indirect]
2024-11-22T17:09:37Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T17:09:37Z INFO [secret] Secret scanning is enabled
2024-11-22T17:09:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T17:09:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T17:09:37Z DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-22T17:09:37Z DEBUG Initializing scan cache... type="memory"
2024-11-22T17:09:37Z DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2024-11-22T17:09:37Z DEBUG Skipping path path=".git"
2024-11-22T17:09:48Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules"
2024-11-22T17:09:48Z DEBUG OS is not detected.
2024-11-22T17:09:48Z INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-11-22T17:09:48Z DEBUG Detected OS: unknown
2024-11-22T17:09:48Z INFO Number of language-specific files num=1
2024-11-22T17:09:48Z INFO [npm] Detecting vulnerabilities...
2024-11-22T17:09:48Z DEBUG [npm] Scanning packages for vulnerabilities file_path="package-lock.json"
2024-11-22T17:09:48Z DEBUG [vex] VEX filtering is disabled
Error: Process completed with exit code 1.
The same behavior is not observed when running the equivalent Trivy (v0.57.1) CLI command locally, where the --severity parameter works as expected and filters results correctly
Running (trivy fs --debug --exit-code 1 --ignore-unfixed --severity "HIGH,CRITICAL" .) returns exit code 0 when checked with echo $?
CLI command logs
DEBUG No plugins loaded
2024-11-22T12:49:11-05:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-22T12:49:11-05:00 DEBUG Cache dir dir="/Users/emed/Library/Caches/trivy"
2024-11-22T12:49:11-05:00 DEBUG Cache dir dir="/Users/emed/Library/Caches/trivy"
**2024-11-22T12:49:11-05:00 DEBUG Parsed severities severities=[HIGH CRITICAL]**
2024-11-22T12:49:11-05:00 DEBUG Ignore statuses statuses=[0 1 2 4 5 6 7]
2024-11-22T12:49:11-05:00 DEBUG DB update was skipped because the local DB is the latest
The text was updated successfully, but these errors were encountered:
When running the Trivy Action (version 0.29.0) in a GitHub Actions workflow with severity: "CRITICAL,HIGH" specified, the action does not limit the scan results to the specified severities. Instead, it processes vulnerabilities of all severities (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL), as shown in the debug logs.
Workflow:
Github Action Debug Logs
The same behavior is not observed when running the equivalent Trivy (v0.57.1) CLI command locally, where the --severity parameter works as expected and filters results correctly
Running (trivy fs --debug --exit-code 1 --ignore-unfixed --severity "HIGH,CRITICAL" .) returns exit code 0 when checked with echo $?
CLI command logs
The text was updated successfully, but these errors were encountered: