diff --git a/.github/actions/osv-scanner/action.yml b/.github/actions/osv-scanner/action.yml index 4bfb5993cb..de5116fdcf 100644 --- a/.github/actions/osv-scanner/action.yml +++ b/.github/actions/osv-scanner/action.yml @@ -1,5 +1,5 @@ name: 'OSV-Scanner' -description: 'Install osv-scanner and scan a lockfile, failing on HIGH/CRITICAL/UNKNOWN severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).' +description: 'Install osv-scanner and scan a lockfile, failing on CRITICAL severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).' author: 'Prowler' inputs: @@ -7,9 +7,9 @@ inputs: description: 'Path to the lockfile to scan, relative to the repository root (e.g. uv.lock, api/uv.lock, ui/pnpm-lock.yaml).' required: true severity-levels: - description: 'Comma-separated severity levels that fail the scan. Default: HIGH,CRITICAL,UNKNOWN.' + description: 'Comma-separated severity levels that fail the scan. Default: CRITICAL.' required: false - default: 'HIGH,CRITICAL,UNKNOWN' + default: 'CRITICAL' version: description: 'osv-scanner release tag to install. When overriding, you MUST also override binary-sha256.' required: false diff --git a/.github/scripts/osv-scan.sh b/.github/scripts/osv-scan.sh index d9c2e1a901..16afc6668c 100755 --- a/.github/scripts/osv-scan.sh +++ b/.github/scripts/osv-scan.sh @@ -6,8 +6,7 @@ # - .github/workflows/api-security.yml, sdk-security.yml, ui-security.yml # # Severity levels (comma-separated) are read from OSV_SEVERITY_LEVELS. -# Default: HIGH,CRITICAL,UNKNOWN — preserves prior .safety-policy.yml policy -# (ignore-cvss-severity-below: 7 + ignore-cvss-unknown-severity: False). +# Default: CRITICAL — only CVSS >= 9.0 findings fail the scan. # osv-scanner has no native CVSS threshold (google/osv-scanner#1400, closed # not-planned). Severity is derived from $group.max_severity (numeric CVSS # score string) which osv-scanner emits per group. @@ -33,7 +32,7 @@ set -euo pipefail ROOT="$(git rev-parse --show-toplevel)" CONFIG="${ROOT}/osv-scanner.toml" -SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-HIGH,CRITICAL,UNKNOWN}" +SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-CRITICAL}" for bin in osv-scanner jq; do if ! command -v "${bin}" >/dev/null 2>&1; then diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index 44482e2428..e1bd756d86 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -134,5 +134,5 @@ jobs: with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} - fail-on-critical: 'false' + fail-on-critical: 'true' severity: 'CRITICAL' diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index 7493e1b763..5f7a9f1447 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -127,5 +127,5 @@ jobs: with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} - fail-on-critical: 'false' + fail-on-critical: 'true' severity: 'CRITICAL' diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 42709ac6f7..fcb30578d8 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -153,5 +153,5 @@ jobs: with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} - fail-on-critical: 'false' + fail-on-critical: 'true' severity: 'CRITICAL' diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index 0eae703fce..10415f4d48 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -132,5 +132,5 @@ jobs: with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} - fail-on-critical: 'false' + fail-on-critical: 'true' severity: 'CRITICAL'