Exit with error only on specified severities

[PascalTurbo]

Description

For usage in CI Pipelines it would be great to configure, when trivy should exit with or without an error. For example, if CVEs with critical severities are found, trivy should fail with exit code 1. But if the highest severity of a scan is LOW, trivy should succeed.

Target

None

Scanner

None

[knqyf263]

It can be achieved by trivy convert.
https://aquasecurity.github.io/trivy/v0.48/docs/configuration/reporting/#converting

# Output all severities in JSON
$ trivy image --format json -o result.json --list-all-pkgs debian:11

# Fail on critical issues
$ trivy convert --exit-code 1 --severity CRITICAL result.json

[PascalTurbo]

Thank you. That's a way better workaround than mine (working with jq queries).

From my perspective, I wouldn't close that issue as it might be more comfortable to run one command than two. But decided it on your own.
For our Azure Pipelines it's related to aquasecurity/trivy-azure-pipelines-task#50

[vladislav-orlovskiy]

@knqyf263 can it be done with stdout? I pipe my trivy output to reviewdog so it can creat github PR comments. not sure running it twice is a good approach in pre-commit.

[knqyf263]

Do you mean something like this?

$ trivy image --format json --list-all-pkgs debian:11 | trivy convert --exit-code 1 --severity CRITICAL -

I’d like to know more details about your use case.

[vladislav-orlovskiy]

i am using trivy config (aka trivy fs . --scanners missconfig)