Confirm effectiveness of vuln scans (#2248)

### Time to review: __1 mins__ ## Changes proposed Confirms that grype is scanning down to "medium" level vulnerabilities ## Context for reviewers I wasn't sure that it was already doing this, and this PR confirms that it is.
HHS · Sep 27, 2024 · e075024 · e075024
1 parent d30fadf
commit e075024
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
@@ -147,6 +147,8 @@ jobs:
         with:
           image: ${{ needs.build-and-cache.outputs.image }}
           output-format: table
+          fail-build: true
+          severity-cutoff: medium
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure

diff --git a/.grype.yml b/.grype.yml
@@ -1,3 +1,5 @@
+fail-on-severity: "medium"
+
 # List of vulnerabilities to ignore for the anchore scan
 # https://github.com/anchore/grype#specifying-matches-to-ignore
 # More info can be found in the docs/infra/vulnerability-management.md file