Skip to content

Improve/fix Trivy Stage by being able to use severity thresholds #1260

New issue
New issue
Open
Task
#1262
Open
Improve/fix Trivy Stage by being able to use severity thresholds#1260
Task
#1262
Assignees
renedupont
Labels
bugSomething isn't workingenhancementNew feature or request
@renedupont

Description

@renedupont
renedupont
opened on Feb 23, 2026

Is your feature request related to a problem? Please describe.
The current implementation of the trivy stage brings only very few to none benefits. It just passes the scan no matter what issues were detected which leaves the Bitbucket Code Insight symbol always to be the PASSing one. Except when there is an operational error in which case no report is created and the insight symbol shows failed. Looking at a PR where the Code Insight Symbol is presented, you don't see any hint that there might be critical findings in your code because the symbol suggests it passed. No one would ever click on it to follow the link to the actual report to dig deeper. At least that was the feedback from each of my team members which I agree to 😆. Normally, like in the sonar stage as well, you can pass a severity threshold as a quality gate.

By default, Trivy CLI exits with code 0 even when security issues are detected. For CI/CD pipelines, Trivy provides the --exit-code option which can be used e.g. to fail on exceeding severity thresholds: trivy image --exit-code 1 --severity CRITICAL <image>.
Currently, providing these additional options, the trivy stage stops storing the report because a non null exit code was returned once the severy threshold was exceeded. In a PR, the code insight symbol is FAILed but no report added since the stage assumed there was an operational error.

To summarize the current situation:

  • If there are critical issues, no one would notice because the Code Insight Symbol implies PASSED
  • If severity threshold was set as additional flag in Jenkinsfile and exceeded during pipeline run, the Code Insight Symbol is FAILED but has no report attached which makes this option overall worthless.

Describe the solution you'd like
Be able to use severity thresholds as quality gate and have correct Code Insight Symbols displayed in PR and being able to actually see the report in such case.

It would look like this:

    odsComponentStageScanWithTrivy(context, [
      'additionalFlags': ['--severity HIGH,CRITICAL', '--exit-code 1'],
    ])
  }

Describe alternatives you've considered
Overwrite this part of the shared lib in my Jenkinsfile but I rather try to fix it in ODS.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingenhancementNew feature or request

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions