Upd: Fail on high severity issues, do not excluse base image issues

bokysan · bokysan · commit cc31225512b9 · 2025-12-22T07:53:05.000+01:00
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -152,7 +152,7 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:edge-alpine
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:edge-alpine
 
   Build_Ubuntu:
     runs-on: ubuntu-latest
@@ -233,7 +233,7 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:edge-ubuntu
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:edge-ubuntu
 
   Build_Debian:
     runs-on: ubuntu-latest
@@ -325,4 +325,4 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:edge-debian
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:edge-debian
diff --git a/.github/workflows/tags.yml b/.github/workflows/tags.yml
@@ -135,7 +135,7 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-alpine
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-alpine
 
   Build_Ubuntu:
     runs-on: ubuntu-latest
@@ -214,7 +214,7 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-ubuntu
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-ubuntu
 
 
   Build_Debian:
@@ -297,7 +297,7 @@ jobs:
       - name: Run Snyk container test
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: snyk container test --exclude-base-image-vulns --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-debian
+        run: snyk container test --severity-threshold=high --file=./Dockerfile --docker boky/postfix:${{ env.RELEASE_VERSION }}-debian
 
 
   Release:
