The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking aquasecurity/trivy-action without the `trivyignores` input, so the .trivyignore.yaml at the repo root (committed in #190 to mitigate CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing on a CVE we explicitly chose to defer. Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file takes effect. The HIGH step also gets it for consistency (it doesn't fail the gate, but reporting a CVE we ignore as HIGH would be noise). Refs #189 |
||
|---|---|---|
| .. | ||
| auto-close-issues.yml | ||
| ci.yml | ||
| docling-compat.yml | ||
| docs.yml | ||
| release-gate.yml | ||
| release.yml | ||