fix(ci): wire .trivyignore.yaml into release-gate Trivy scans
The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking aquasecurity/trivy-action without the `trivyignores` input, so the .trivyignore.yaml at the repo root (committed in #190 to mitigate CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing on a CVE we explicitly chose to defer. Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file takes effect. The HIGH step also gets it for consistency (it doesn't fail the gate, but reporting a CVE we ignore as HIGH would be noise). Refs #189
This commit is contained in:
parent
efc27932dd
commit
a7fbdf7b1b
1 changed files with 2 additions and 0 deletions
2
.github/workflows/release-gate.yml
vendored
2
.github/workflows/release-gate.yml
vendored
|
|
@ -353,6 +353,7 @@ jobs:
|
||||||
exit-code: 1
|
exit-code: 1
|
||||||
severity: CRITICAL
|
severity: CRITICAL
|
||||||
output: /tmp/trivy-critical-${{ matrix.target }}.txt
|
output: /tmp/trivy-critical-${{ matrix.target }}.txt
|
||||||
|
trivyignores: .trivyignore.yaml
|
||||||
|
|
||||||
- name: Run Trivy — HIGH (informational)
|
- name: Run Trivy — HIGH (informational)
|
||||||
if: always()
|
if: always()
|
||||||
|
|
@ -363,6 +364,7 @@ jobs:
|
||||||
exit-code: 0
|
exit-code: 0
|
||||||
severity: HIGH
|
severity: HIGH
|
||||||
output: /tmp/trivy-high-${{ matrix.target }}.txt
|
output: /tmp/trivy-high-${{ matrix.target }}.txt
|
||||||
|
trivyignores: .trivyignore.yaml
|
||||||
|
|
||||||
- name: Annotate HIGH vulnerabilities
|
- name: Annotate HIGH vulnerabilities
|
||||||
if: always()
|
if: always()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue