severity: "CRITICAL,HIGH" configuration not respected in Trivy Action (v0.29.0), scanning includes all severities

[adarak14]

When running the Trivy Action (version 0.29.0) in a GitHub Actions workflow with severity: "CRITICAL,HIGH" specified, the action does not limit the scan results to the specified severities. Instead, it processes vulnerabilities of all severities (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL), as shown in the debug logs.

Workflow:

- name: Run Trivy scan (Table)
  uses: aquasecurity/[email protected]
  with:
    scan-type: "fs"
    format: "table"
    severity: "CRITICAL,HIGH"
    exit-code: 1
    hide-progress: false
    ignore-unfixed: true
  env:
    TRIVY_DEBUG: "true"

Github Action Debug Logs

Running Trivy with options: trivy fs .
2024-11-22T17:09:37Z	DEBUG	No plugins loaded
2024-11-22T17:09:37Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-22T17:09:37Z	DEBUG	Cache dir	dir="/home/runner/work/xxxxx/xxxx/.cache/trivy"
2024-11-22T17:09:37Z	DEBUG	Cache dir	dir="/home/runner/work/xxxx/xxxx/.cache/trivy"

**2024-11-22T17:09:37Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]**

2024-11-22T17:09:37Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2024-11-22T17:09:37Z	DEBUG	DB update was skipped because the local DB is the latest
2024-11-22T17:09:37Z	DEBUG	DB info	schema=2 updated_at=2024-11-21T18:16:43.86[357](https://github.com/xxxx/xxxx/actions/runs/11976974486/job/33393842565#step:5:378)7371Z next_update=2024-11-22T18:16:43.86357697Z downloaded_at=2024-11-22T00:07:56.61736953Z
2024-11-22T17:09:37Z	DEBUG	[pkg] Package types	types=[os library]
2024-11-22T17:09:37Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-22T17:09:37Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T17:09:37Z	INFO	[secret] Secret scanning is enabled
2024-11-22T17:09:37Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T17:09:37Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T17:09:37Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-22T17:09:37Z	DEBUG	Initializing scan cache...	type="memory"
2024-11-22T17:09:37Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-11-22T17:09:37Z	DEBUG	Skipping path	path=".git"
2024-11-22T17:09:48Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2024-11-22T17:09:48Z	DEBUG	OS is not detected.
2024-11-22T17:09:48Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-11-22T17:09:48Z	DEBUG	Detected OS: unknown
2024-11-22T17:09:48Z	INFO	Number of language-specific files	num=1
2024-11-22T17:09:48Z	INFO	[npm] Detecting vulnerabilities...
2024-11-22T17:09:48Z	DEBUG	[npm] Scanning packages for vulnerabilities	file_path="package-lock.json"
2024-11-22T17:09:48Z	DEBUG	[vex] VEX filtering is disabled
Error: Process completed with exit code 1.

The same behavior is not observed when running the equivalent Trivy (v0.57.1) CLI command locally, where the --severity parameter works as expected and filters results correctly

Running (trivy fs --debug --exit-code 1 --ignore-unfixed --severity "HIGH,CRITICAL" .) returns exit code 0 when checked with echo $?

CLI command logs

DEBUG	No plugins loaded
2024-11-22T12:49:11-05:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-22T12:49:11-05:00	DEBUG	Cache dir	dir="/Users/emed/Library/Caches/trivy"
2024-11-22T12:49:11-05:00	DEBUG	Cache dir	dir="/Users/emed/Library/Caches/trivy"
**2024-11-22T12:49:11-05:00	DEBUG	Parsed severities	severities=[HIGH CRITICAL]**
2024-11-22T12:49:11-05:00	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2024-11-22T12:49:11-05:00	DEBUG	DB update was skipped because the local DB is the latest