feat: remove skip scan option and add scan_high_severity flag (#186)

dvvanessastoiber · web-flow · commit b86b550e0b59 · 2025-07-02T15:15:12.000+02:00
* feat: remove skip scan option and add optional removal of high severity scan

* fix: linting

* fix: linting

* fix: branch name

* fix: pass env correctly

* fix: add fromJson

* fix: add all options

* chore: remove logs

* fix: readd skip_image_scan

* fix: reset branches
diff --git a/.github/workflows/build-docker-artifacts-config.schema.json b/.github/workflows/build-docker-artifacts-config.schema.json
@@ -38,7 +38,12 @@
                     "skip_image_scan": {
                       "type": "boolean",
                       "default": false,
-                      "description": "Skip scanning the image for vulnerabilities"
+                      "description": "[Deprecated: use scan_high_severity or the .trivyignore file instead] Skip scanning the image for vulnerabilities"
+                    },
+                    "scan_high_severity": {
+                      "type": "boolean",
+                      "default": true,
+                      "description": "Scan the image for high severity vulnerabilities"
                     }
                   },
                   "required": ["directory", "ecr_repository"]
diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
@@ -26,6 +26,11 @@ on:
         type: boolean
         required: false
         default: false
+      scan_high_severity:
+        description: 'Include high severity'
+        type: boolean
+        required: false
+        default: true
       runs_on:
         type: string
         required: false
@@ -240,6 +245,16 @@ jobs:
           # https://github.com/docker/build-push-action/issues/1156#issuecomment-2437227730
           DOCKER_BUILD_SUMMARY: false
 
+      - name: Determine trivy scan severity levels
+        id: set_severity
+        run: |
+          if [[ "${{ github.event.inputs.scan_high_severity }}" == "false" ]] || \
+             [[ "${{ vars.SCAN_HIGH_SEVERITY }}" == "false" ]] || \
+             [[ "${{ matrix.component.scan_high_severity }}" == "false" ]]; then
+            echo "severity=CRITICAL" >> "$GITHUB_OUTPUT"
+          else
+            echo "severity=HIGH,CRITICAL" >> "$GITHUB_OUTPUT"
+          fi
       - name: Run Trivy vulnerability scanner
         if: ${{ inputs.skip_image_scan != true && fromJson(vars.SKIP_IMAGE_SCAN || 'false') != true && matrix.component.skip_image_scan != true }}
         uses: aquasecurity/trivy-action@0.30.0
@@ -249,7 +264,7 @@ jobs:
           exit-code: '1'
           ignore-unfixed: false
           vuln-type: 'os,library'
-          severity: 'HIGH,CRITICAL'
+          severity: ${{ steps.set_severity.outputs.severity }}
         continue-on-error: false 
 
       - name: Push image
