From 89b4fad2f76b0a2f5c4b32970a4c66ce0c984491 Mon Sep 17 00:00:00 2001
From: Stephen Kitt <skitt@redhat.com>
Date: Mon, 11 Mar 2024 10:53:52 +0100
Subject: [PATCH] Only fail builds for high+ vulns

Since the vulnerability scan doesn't distinguish between
vulnerabilities added by the PR and those coming from vulnerability
updates, PRs are regularly blocked because of unrelated
vulnerabilities. Arguably this is desirable for important
vulnerabilities since it forces them to be handled; but other
vulnerabilities shouldn't block PRs.

This changes the fail threshold to high, so that only vulnerabilities
with severity high or critical will block the build.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
---
 .github/workflows/linting.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index b11ec5264..d1f37de23 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -142,7 +142,7 @@ jobs:
         with:
           path: "."
           fail-build: true
-          severity-cutoff: negligible
+          severity-cutoff: high
       - name: Show Anchore scan SARIF report
         if: always()
         run: cat ${{ steps.scan.outputs.sarif }}