test if env with no severity args breaks

Kong · Aug 21, 2024 · ad1220d · ad1220d
1 parent e4b8f6c
commit ad1220d
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml
@@ -281,8 +281,6 @@ runs:
       with:
         files: "${{ steps.meta.outputs.scan_image }}"
 
-    # Set ENV "severity: ${{ steps.meta.outputs.global_enforce_build_failure }}" to restrict Trivy to a particular severity
-    # Supported severity levels "LOW" "MEDIUM" "HIGH" "CRITICAL"
     - name: Generate docker-cis JSON report
       uses: docker://ghcr.io/aquasecurity/trivy:0.37.2
       if: ${{ steps.meta.outputs.scan_image != '' }}
@@ -292,6 +290,7 @@ runs:
         args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}"
       env:
         compliance: docker-cis
+        severity: ${{ steps.meta.outputs.global_enforce_build_failure }}
         input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}
 
     - name: upload docker-cis JSON report
@@ -303,8 +302,6 @@ runs:
           ${{ steps.meta.outputs.cis_json_file }}
         if-no-files-found: warn
 
-    # Set ENV "severity: ${{ steps.meta.outputs.global_enforce_build_failure }}" to restrict Trivy to a particular severity
-    # Supported severity levels "LOW" "MEDIUM" "HIGH" "CRITICAL"
     - name: Inspect docker-cis report
       if: ${{ steps.meta.outputs.scan_image != '' }}
       uses: docker://ghcr.io/aquasecurity/trivy:0.37.2
@@ -314,4 +311,5 @@ runs:
       env:
         exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }}
         compliance: docker-cis
+        severity: ${{ steps.meta.outputs.global_enforce_build_failure }}
         input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}