Only report critical issues

Because there are high severity issue that have been reported since decades with no resolution: E.g. https://ubuntu.com/security/CVE-2013-7445#notes https://bugzilla.kernel.org/show_bug.cgi?id=60533 Signed-off-by: Dimitris Karakasilis <[email protected]>
kairos-io · Jan 20, 2025 · 24ca209 · 24ca209
1 parent 5325ef8
commit 24ca209
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -212,13 +212,13 @@ jobs:
         with:
           input: trivy-results/result.sarif
           output: trivy-results/result.sarif
-          severity: high
+          severity: critical
       - uses: itxaka/sarif-filter@v1
         if: startsWith(github.ref, 'refs/tags/')
         with:
           input: grype-results/result.sarif
           output: grype-results/result.sarif
-          severity: high
+          severity: critical
       - name: Release
         uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
         if: startsWith(github.ref, 'refs/tags/')

diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml
@@ -148,26 +148,26 @@ jobs:
         with:
           input: trivy-results/result.sarif
           output: trivy-results/result.sarif
-          severity: high
+          severity: critical
       - uses: itxaka/sarif-filter@v1
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         with:
           input: grype-results/result.sarif
           output: grype-results/result.sarif
-          severity: high
+          severity: critical
       - name: Check scan results
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         continue-on-error: true
         run: |
           result=$(cat grype-results/result.sarif | jq '.runs[0].results | length')
           if (( result > 0 )); then
-              echo "Critical or high severity issues found in Grype scan"
+              echo "Critical severity issues found in Grype scan"
               exit 1
           fi
 
           result=$(cat trivy-results/result.sarif | jq '.runs[0].results | length')
           if (( result > 0 )); then
-              echo "Critical or high severity issues found in Trivy scan"
+              echo "Critical severity issues found in Trivy scan"
               exit 1
           fi
       - name: Upload Trivy scan results to GitHub Security tab

diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml
@@ -188,13 +188,13 @@ jobs:
         with:
           input: trivy.sarif
           output: trivy.sarif
-          severity: high
+          severity: critical
       - uses: itxaka/sarif-filter@v1
         if: startsWith(github.ref, 'refs/tags/')
         with:
           input: grype.sarif
           output: grype.sarif
-          severity: high
+          severity: critical
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: startsWith(github.ref, 'refs/tags/')
@@ -207,3 +207,11 @@ jobs:
         with:
           sarif_file: 'grype.sarif'
           category: ${{ matrix.flavor }}-${{ inputs.flavor_release }}-${{ inputs.variant }}-arm64-${{ inputs.model }}
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          name: ${{ matrix.flavor }}-${{ inputs.flavor_release }}-${{ inputs.variant }}-arm64-${{ inputs.model }}-scan-results
+          path: |
+            trivy.sarif
+            grype.sarif
+          if-no-files-found: error