fix: correct Trivy SARIF severity mapping

david-waltermire · david-waltermire · commit c3a85aff1a5c · 2026-01-08T01:01:42.000-05:00
- error=CRITICAL (not CRITICAL/HIGH)
- warning=HIGH (not MEDIUM)
- note=MEDIUM/LOW (not just LOW)

Also update failure step to check both critical and high severity.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -211,15 +211,15 @@ jobs:
         echo "" >> $GITHUB_STEP_SUMMARY
         if [ -f "trivy-results.sarif" ]; then
           TOTAL=$(jq -r '.runs[0].results | length' trivy-results.sarif 2>/dev/null || echo "0")
-          # Trivy SARIF level mapping: error=CRITICAL/HIGH, warning=MEDIUM, note=LOW
+          # Trivy SARIF level mapping: error=CRITICAL, warning=HIGH, note=MEDIUM/LOW
           CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          MEDIUM=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
-          LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          HIGH=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          MEDIUM_LOW=$(jq -r '[.runs[0].results[] | select(.level == "note")] | length' trivy-results.sarif 2>/dev/null || echo "0")
           echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| :red_circle: Critical/High | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
-          echo "| :orange_circle: Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
-          echo "| :yellow_circle: Low | $LOW |" >> $GITHUB_STEP_SUMMARY
+          echo "| :red_circle: Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+          echo "| :orange_circle: High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+          echo "| :yellow_circle: Medium/Low | $MEDIUM_LOW |" >> $GITHUB_STEP_SUMMARY
           echo "| **Total** | **$TOTAL** |" >> $GITHUB_STEP_SUMMARY
           # Show details if there are findings
           if [ "$TOTAL" -gt 0 ]; then
@@ -270,11 +270,16 @@ jobs:
             fi
           done
         fi
-        # Check Trivy for error level (critical/high) findings
+        # Check Trivy for critical (error) and high (warning) findings
         if [ -f "trivy-results.sarif" ]; then
           TRIVY_CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' trivy-results.sarif 2>/dev/null || echo "0")
+          TRIVY_HIGH=$(jq -r '[.runs[0].results[] | select(.level == "warning")] | length' trivy-results.sarif 2>/dev/null || echo "0")
           if [ "$TRIVY_CRITICAL" -gt 0 ]; then
-            echo "::error::Trivy found $TRIVY_CRITICAL critical/high severity issue(s)"
+            echo "::error::Trivy found $TRIVY_CRITICAL critical severity issue(s)"
+            FAILED=true
+          fi
+          if [ "$TRIVY_HIGH" -gt 0 ]; then
+            echo "::error::Trivy found $TRIVY_HIGH high severity issue(s)"
             FAILED=true
           fi
         fi
