Exit code 1 not leading to a failed CI/CD when using format sarif

[VictorDelCampo]

We have been running trivy scans for different docker images on our github pipeline for a while using the following pattern:

We keep upgrading the version of the trivy action using the commit SHA.

Since a couple of updates we have realized that even if the scan finds HIGH/CRITICAL vulnerabilities, the step is not failed as expected using the exit-code = 1. We do see the vulnerability in the security tab and even the pipeline run linked in that page that produced that vulnerability, but the pipeline run did NOT fail as it used to do before.

We have run the pipeline locally with act and observed the exactly same behaviour. We came to the conclusion that as soon as the format "sarif" with an "output" are used, the exit-code is completely ignored.

This is not the case when running the trivy package itself on the very same image using the following command:

trivy image --exit-code 1 --severity HIGH,CRITICAL --format sarif -o trivy-results.sarif [image+tag]

This command returns an exit code of 1 if HIGH/CRITICAL vulnerabilities were found.

For now we are manually checking the sarif file and consequently producing an exit-code 1 if HIGH/CRITICAL vulnerabilities were found but it would be great if you could have a look.

Thanks a lot!

[VictorDelCampo]

@rogercoll I just tested your latest commit and the bug with sarif + exit-code is still there.

[dnaprawa]

+1 – I have experienced the same problem for fs type scanning. When format is table – the job is failed, when sarif it is passed even if there are critical vulnerabilities

[simao-silva]

I can confirm that #247 solves the issue.

[simao-silva]

Found this bug again. It still shows when using format: "sarif" and skip-files together.
Should this issue be reopened or create a new one?