Update scans.yml

yxtay · yxtay · commit 39b3aaabc74e · 2025-08-11T23:27:54.000+08:00
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -316,20 +316,20 @@ jobs:
       - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
         with:
           scan-type: fs
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
           format: github
           output: dependency-results.sbom.json
           github-pat: ${{ github.token }}
 
       - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
         with:
           scan-type: fs
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
           format: sarif
           output: trivy-results.sarif
+          exit-code: ${{ github.event_name == 'pull_request' }}
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
           scanners: vuln,secret,misconfig
+          skip-setup-trivy: true
 
       - uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
         with:
@@ -356,19 +356,19 @@ jobs:
       - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
         with:
           image-ref: ${{ steps.build.outputs.imageid }}
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
           format: github
           output: dependency-results.sbom.json
           github-pat: ${{ github.token }}
 
       - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
         with:
           image-ref: ${{ steps.build.outputs.imageid }}
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
           format: sarif
           output: trivy-results.sarif
+          exit-code: ${{ github.event_name == 'pull_request' }}
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          skip-setup-trivy: true
 
       - uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
         with:
