Add trivy_severity input

Author: puehringer

.github/actions/build-node-python/action.yml

@@ -63,6 +63,9 @@ inputs:
     description: "Enable trivy scans on lock files"
     default: "false"  # Enable this by default?
     required: false
+  trivy_severity:
+    description: "Severity level for trivy"
+    required: false
   chromatic_enable:
     description: "Enable Chromatic tests"
     required: false
@@ -299,8 +302,8 @@ runs:
         scan-type: "fs"
         scan-ref: "uv.lock"
         exit-code: "1"
-        scaners: "vuln"
-        severity: "CRITICAL" # HIGH,CRITICAL may be too strict
+        scanners: "vuln"
+        severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         ignore-unfixed: false
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"
@@ -312,8 +315,8 @@ runs:
         scan-type: "fs"
         scan-ref: "yarn.lock"
         exit-code: "1"
-        scaners: "vuln"
-        severity: "CRITICAL" # HIGH,CRITICAL may be too strict
+        scanners: "vuln"
+        severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         ignore-unfixed: false
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"

.github/workflows/build-docker-artifacts.yml

@@ -294,7 +294,7 @@ jobs:
           image-ref: ${{ matrix.component.image_ref }}
           # Disable scanning the current directory (defaults to .)
           scan-ref: "/dev/null"
-          format: "table"
+          format: "github"
           exit-code: "1"
           ignore-unfixed: false
           vuln-type: "os,library"

.github/workflows/build-node-python.yml

@@ -79,6 +79,10 @@ on:
         default: false  # Enable this by default?
         type: boolean
         required: false
+      trivy_severity:
+        description: "Severity for the trivy scans"
+        type: string
+        required: false
       chromatic_enable:
         description: 'Enable Chromatic tests'
         required: false
@@ -157,6 +161,7 @@ jobs:
           # We probably won't need Rust on Node builds...
           # enable_rust: ${{ inputs.rust_enable }}
           trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
           npm_registry: ${{ vars.NPM_REGISTRY }}
@@ -198,6 +203,7 @@ jobs:
           enable_node: false
           enable_python: true
           trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
@@ -290,6 +296,7 @@ jobs:
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
           trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
@@ -434,6 +441,7 @@ jobs:
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
           trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}