eclipse-tractusx · tom-rm-meyer-ISST · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -41,14 +41,14 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           image-ref: "tractusx/app-puris-frontend:latest"
           format: "sarif"
           output: "trivy-results-1.sarif"
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
-          exit-code: "1"
+          exit-code: "0"
           limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
@@ -69,14 +69,14 @@ jobs:
     steps:
       # Pull image from Docker Hub and run Trivy vulnerability scanner
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           image-ref: "tractusx/app-puris-backend:latest"
           format: "sarif"
           output: "trivy-results-2.sarif"
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
-          exit-code: "1"
+          exit-code: "0"
           limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,11 +22,12 @@ The **need for configuration updates** is **marked bold**.
 * Updated End-to-End tests to support local authentication ([#920](https://github.com/eclipse-tractusx/puris/pull/920))
 * Update DemandAndCapacityNotification API to implement standard version 2.0 ([#921](https://github.com/eclipse-tractusx/puris/pull/921))
 * Update Frontend Notification View with grouping based on disruptionId and seperating by status, forwarding connected notifications, editing and resolving notifications ([#926](https://github.com/eclipse-tractusx/puris/pull/926))
+* CI: Trivy workflow should not fail if critical or high vulnerabilities are found ([#948](https://github.com/eclipse-tractusx/puris/pull/948)).
 
 ### Chore
 
 * Updated open API ([#929](https://github.com/eclipse-tractusx/puris/pull/929))
-* Updated dependencies to resolve high and critical security vulnerabilities ([#932](https://github.com/eclipse-tractusx/puris/pull/932))
+* Updated dependencies to resolve high and critical security vulnerabilities ([#932](https://github.com/eclipse-tractusx/puris/pull/932), [#948](https://github.com/eclipse-tractusx/puris/pull/948))
 
 ## v3.2.0