The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking aquasecurity/trivy-action without the `trivyignores` input, so the .trivyignore.yaml at the repo root (committed in #190 to mitigate CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing on a CVE we explicitly chose to defer. Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file takes effect. The HIGH step also gets it for consistency (it doesn't fail the gate, but reporting a CVE we ignore as HIGH would be noise). Refs #189 |
||
|---|---|---|
| .. | ||
| ISSUE_TEMPLATE | ||
| workflows | ||
| PULL_REQUEST_TEMPLATE.md | ||