Only fail builds for high+ vulns

Since the vulnerability scan doesn't distinguish between vulnerabilities added by the PR and those coming from vulnerability updates, PRs are regularly blocked because of unrelated vulnerabilities. Arguably this is desirable for important vulnerabilities since it forces them to be handled; but other vulnerabilities shouldn't block PRs. This changes the fail threshold to high, so that only vulnerabilities with severity high or critical will block the build. Signed-off-by: Stephen Kitt <[email protected]>
submariner-io · Mar 18, 2024 · 31e1d7e · 31e1d7e
1 parent 979a87d
commit 31e1d7e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -107,7 +107,7 @@ jobs:
         with:
           path: "."
           fail-build: true
-          severity-cutoff: negligible
+          severity-cutoff: high
       - name: Show Anchore scan SARIF report
         if: always()
         run: cat ${{ steps.scan.outputs.sarif }}