Skip to content

Commit

Permalink
Only fail builds for high+ vulns
Browse files Browse the repository at this point in the history
Since the vulnerability scan doesn't distinguish between
vulnerabilities added by the PR and those coming from vulnerability
updates, PRs are regularly blocked because of unrelated
vulnerabilities. Arguably this is desirable for important
vulnerabilities since it forces them to be handled; but other
vulnerabilities shouldn't block PRs.

This changes the fail threshold to high, so that only vulnerabilities
with severity high or critical will block the build.

Signed-off-by: Stephen Kitt <[email protected]>
  • Loading branch information
skitt authored and tpantelis committed Mar 18, 2024
1 parent 979a87d commit 31e1d7e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/linting.yml
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ jobs:
with:
path: "."
fail-build: true
severity-cutoff: negligible
severity-cutoff: high
- name: Show Anchore scan SARIF report
if: always()
run: cat ${{ steps.scan.outputs.sarif }}
Expand Down

0 comments on commit 31e1d7e

Please sign in to comment.