Describe the bug
The script relies on parsing Trivy JSON output to decide whether to fail the CI pipeline. However, Trivy may return exit code 0 even when vulnerabilities exist, depending on flags used.
This means the pipeline may pass even though HIGH/CRITICAL vulnerabilities were detected if JSON parsing fails or the severity extraction logic misses cases.
This creates a false-negative security result.
Why this is a problem
Trivy supports built-in failure control using:
--exit-code 1 --severity CRITICAL,HIGH
Currently the script:
- Runs Trivy without --exit-code
- Reimplements failure logic manually
- Risks mismatch between Trivy behavior and script logic
This is a logic duplication bug and a security reliability issue.
Expected behavior
The scan should fail automatically when vulnerabilities matching the configured threshold are found.
Current behavior
The script:
- Runs Trivy without --exit-code
- Parses JSON manually
- Can incorrectly pass CI if parsing fails or output changes.
Proposed fix
Use Trivy’s native exit-code enforcement and keep JSON only for reporting.
Example fix in command:
cmd = [
"docker", "run", "--rm",
"-v", "/var/run/docker.sock:/var/run/docker.sock",
trivy_image,
"image",
"--exit-code", "1",
"--severity", ",".join(fail_on),
"--format", "json",
"my-image:latest",
]
Then CI can simply rely on:
if result.returncode == 1:
print("❌ Vulnerabilities detected")
sys.exit(1)
Impact
Security scans become reliable, simpler, and aligned with Trivy best practices.
Describe the bug
The script relies on parsing Trivy JSON output to decide whether to fail the CI pipeline. However, Trivy may return exit code 0 even when vulnerabilities exist, depending on flags used.
This means the pipeline may pass even though HIGH/CRITICAL vulnerabilities were detected if JSON parsing fails or the severity extraction logic misses cases.
This creates a false-negative security result.
Why this is a problem
Trivy supports built-in failure control using:
--exit-code 1 --severity CRITICAL,HIGH
Currently the script:
This is a logic duplication bug and a security reliability issue.
Expected behavior
The scan should fail automatically when vulnerabilities matching the configured threshold are found.
Current behavior
The script:
Proposed fix
Use Trivy’s native exit-code enforcement and keep JSON only for reporting.
Example fix in command:
cmd = [
"docker", "run", "--rm",
"-v", "/var/run/docker.sock:/var/run/docker.sock",
trivy_image,
"image",
"--exit-code", "1",
"--severity", ",".join(fail_on),
"--format", "json",
"my-image:latest",
]
Then CI can simply rely on:
if result.returncode == 1:
print("❌ Vulnerabilities detected")
sys.exit(1)
Impact
Security scans become reliable, simpler, and aligned with Trivy best practices.