exit-code with SARIF format doesn't respect the 'severity' parameter

[v-starodubov]

Hello,

I'm trying to construct a scan step with Trivy action and have faced an issue when the action uses exit-code when no intended severities are found because by default SARIF format enforces output of all vulnerabilities regardless of configured severities.
If limit-severities-for-sarif: true my pipeline works fine but I will get a stripped report file.

The goal is to get a full SARIF file and stop workflow (with exit-code) if only selected severities are found.

- name: Scan Docker image for vulnerabilities
  id: scan
  uses: aquasecurity/trivy-action@0.17.0
  with:
    input: /github/workspace/vault-init-image
    severity: 'HIGH,CRITICAL'
    exit-code: '1'
    format: 'sarif'
    limit-severities-for-sarif: false
    output: 'trivy-results.sarif'

In Workflow: https://github.com/Alpacked/security-hardening-helm/actions/runs/7916739186/job/21611265613

Resulted vulnerabilities from scan:

[jianmingtu]

can we solve this issue? I have the same problem. 'Code scanning' reports 1 medium vulnerability but exit-code does not respect severity: 'HIGH,CRITICAL'

  - name: Run Trivy vulnerability scanner for cmsint-pac-extractor
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: image
      image-ref: docker.io/testtrivy/testtrivy:${{ github.sha }}
      format: sarif
      output: trivy-results.sarif
      exit-code: 1
      ignore-unfixed: true
      severity: HIGH,CRITICAL

[austimkelly]

It seems like the sarif report should not even have results not in the --severity range. For the examples above in the comments I'm seeing severity set to HIGH,CRITICAL so why are there even MEDIUM results reported anyways? A medium severity should be ignored completely and not even in the results otherwise you are going to have a bunch of noise in your code scanning results.

Here's the PR:

#336

This may not fix the exit-code part, I haven't tested that but I'll post back if I do.

Update Addition: I just noticed this flag limit-severities-for-sarif. This actually adds the severity, but I do not see any way to fetch the exit-code value from the action other than just parsing the output sarif file. So this would make this PR not necessary.

[petergphillips]

I've got caught out with this too. I found the output from the trivy command to be helpful, in that without limit-severities-for-sarif I can see

Building SARIF report with options:  --exit-code  1 --ignore-unfixed --vuln-type  os,library --skip-files /app/agent.jar  quay.io/hmpps/hmpps-prisoner-search:latest

and with the setting set to true I then get

Running trivy with options: trivy image  --format sarif --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  HIGH,CRITICAL --output  trivy-results.sarif --skip-files /app/agent.jar  quay.io/hmpps/hmpps-prisoner-search:latest

It does feel like incompatible options (severity with sarif without limit-severities-for-sarif) should at least result result in a warning that the severity will then be ignored.