Skip to content

chore: make CRD image Trivy scan warning only#2576

Open
fseldow wants to merge 1 commit into
notaryproject:v1-devfrom
fseldow:chore-crd-trivy-warning-v1-dev
Open

chore: make CRD image Trivy scan warning only#2576
fseldow wants to merge 1 commit into
notaryproject:v1-devfrom
fseldow:chore-crd-trivy-warning-v1-dev

Conversation

@fseldow

@fseldow fseldow commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Make Trivy scans for the CRD image warning-only while keeping the Ratify server image scan blocking.

Motivation

The CRD image bundles upstream kubectl, which can carry Go stdlib CVE findings until Kubernetes publishes a patched kubectl build. These findings should remain visible in CI logs, but should not block Ratify changes. The Ratify server image still fails CI on HIGH/CRITICAL vulnerabilities.

Changes

  • Split the blocking image scan step so only the Ratify server image uses --exit-code 1
  • Add a separate CRD image HIGH/CRITICAL Trivy scan without --exit-code 1

Validation

  • Parsed .github/workflows/scan-vulns.yaml as YAML successfully.

@fseldow fseldow force-pushed the chore-crd-trivy-warning-v1-dev branch from 645b1d7 to 6366b90 Compare June 11, 2026 04:48
charleswool
charleswool approved these changes Jun 11, 2026
View reviewed changes

@charleswool charleswool left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fseldow fseldow force-pushed the chore-crd-trivy-warning-v1-dev branch 5 times, most recently from c11b74d to ebd78cf Compare June 12, 2026 07:21
@fseldow
chore: make CRD image Trivy scan warning only
5e87113 
Keep the Ratify server image HIGH/CRITICAL Trivy scan blocking, but report CRD image findings without failing CI because the CRD image bundles upstream kubectl.

Signed-off-by: xinhl <xinhl@microsoft.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@fseldow fseldow force-pushed the chore-crd-trivy-warning-v1-dev branch from ebd78cf to 5e87113 Compare June 12, 2026 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

+1 more reviewer

@charleswool charleswool charleswool approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fseldow @susanshi @charleswool