New version 0.14.0 fails pipeline if format: 'sarif' and exit-code: '1' and there are no CRITICAL/HIGH vulnerabilities found.

[eugentius]

New version 0.14.0 fails pipeline if format: 'sarif' and exit-code: '1' and there are no CRITICAL/HIGH vulnerabilities found:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          image-ref: ${{ env.image-ref }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

Older version 0.13.1 doesn't respect exit-code if format: 'sarif'

[eugentius]

found the reason:
--severity flag is not passed if sarif == true:

trivy  image <image-with-no-critical-vuln> --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity CRITICAL; echo $?
0
trivy  image <image-with-no-critical-vuln> --exit-code  1 --ignore-unfixed --vuln-type  os,library ; echo $? 
1

https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh#L178

This is a feature, not a bug :)

[eugentius]

limit-severities-for-sarif: true fixes the issue