From c6124d9c7a02eba32563bde2dfd5a7c0d8244ec7 Mon Sep 17 00:00:00 2001
From: Jaroslav Shejbal <jaroslav.shejbal@gmail.com>
Date: Wed, 22 Jan 2025 16:44:17 +0100
Subject: [PATCH] trivy: update - do not omit report on fail

---
 .github/workflows/trivy-scan.yaml         | 64 ++++++++++++++---------
 .github/workflows/trivy-udpate-cache.yaml |  2 +-
 2 files changed, 39 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
index c61068f..48f4574 100644
--- a/.github/workflows/trivy-scan.yaml
+++ b/.github/workflows/trivy-scan.yaml
@@ -6,31 +6,43 @@ jobs:
     name: Scan
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout project
-      uses: actions/checkout@v4
+      - name: Checkout project
+        uses: actions/checkout@v4
 
-    - name: Run Trivy scanner
-      uses: aquasecurity/trivy-action@master
-      env:
-        TRIVY_SKIP_DB_UPDATE: true
-        TRIVY_SKIP_JAVA_DB_UPDATE: true
-      with:
-        scan-type: fs
-        format: table
-        scan-ref: .
-        hide-progress: false
-        output: trivy.txt
-        severity: CRITICAL
-        ignore-unfixed: true
-        exit-code: 1
+      - name: Run Trivy scanner - generate update
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        with:
+          scan-type: fs
+          format: table
+          scan-ref: .
+          hide-progress: false
+          output: trivy.txt
 
-    - name: Publish Trivy Output to Summary
-      run: |
-        if [[ -s trivy.txt ]]; then
-          {
-            echo "### Security Output"
-            echo '```terraform'
-            cat trivy.txt
-            echo '```'
-          } >> $GITHUB_STEP_SUMMARY
-        fi
+      - name: Publish Trivy Output to Summary
+        run: |
+          if [[ -s trivy.txt ]]; then
+            {
+              echo "### Security Output"
+              echo '```terraform'
+              cat trivy.txt
+              echo '```'
+            } >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Run Trivy scanner - Fail build on Criticial Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        with:
+          scan-type: fs
+          format: table
+          scan-ref: .
+          hide-progress: false
+          output: trivy.txt
+          severity: CRITICAL
+          ignore-unfixed: true
+          exit-code: 1
diff --git a/.github/workflows/trivy-udpate-cache.yaml b/.github/workflows/trivy-udpate-cache.yaml
index 67027f8..6e15635 100644
--- a/.github/workflows/trivy-udpate-cache.yaml
+++ b/.github/workflows/trivy-udpate-cache.yaml
@@ -5,7 +5,7 @@ name: Trivy - Cache Update
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 0 * * *"
 
 jobs:
   update-trivy-db: