From f020473490938fcd24beaa86ccdcf6e0b5cf1d75 Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Mon, 11 Mar 2024 10:53:47 +0100 Subject: [PATCH] Only fail builds for high+ vulns Since the vulnerability scan doesn't distinguish between vulnerabilities added by the PR and those coming from vulnerability updates, PRs are regularly blocked because of unrelated vulnerabilities. Arguably this is desirable for important vulnerabilities since it forces them to be handled; but other vulnerabilities shouldn't block PRs. This changes the fail threshold to high, so that only vulnerabilities with severity high or critical will block the build. Signed-off-by: Stephen Kitt --- .github/workflows/linting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 6260c791..e98fcd27 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -107,7 +107,7 @@ jobs: with: path: "." fail-build: true - severity-cutoff: negligible + severity-cutoff: high - name: Show Anchore scan SARIF report if: always() run: cat ${{ steps.scan.outputs.sarif }}