From a7fbdf7b1b973a5cc6a31fb05eaa5a3fe1629155 Mon Sep 17 00:00:00 2001 From: Pier-Jean Malandrino Date: Wed, 29 Apr 2026 09:56:01 +0200 Subject: [PATCH] fix(ci): wire .trivyignore.yaml into release-gate Trivy scans MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking aquasecurity/trivy-action without the `trivyignores` input, so the .trivyignore.yaml at the repo root (committed in #190 to mitigate CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing on a CVE we explicitly chose to defer. Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file takes effect. The HIGH step also gets it for consistency (it doesn't fail the gate, but reporting a CVE we ignore as HIGH would be noise). Refs #189 --- .github/workflows/release-gate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index 1fd05a5..2360092 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -353,6 +353,7 @@ jobs: exit-code: 1 severity: CRITICAL output: /tmp/trivy-critical-${{ matrix.target }}.txt + trivyignores: .trivyignore.yaml - name: Run Trivy — HIGH (informational) if: always() @@ -363,6 +364,7 @@ jobs: exit-code: 0 severity: HIGH output: /tmp/trivy-high-${{ matrix.target }}.txt + trivyignores: .trivyignore.yaml - name: Annotate HIGH vulnerabilities if: always()