drop trivy from spike
All checks were successful
spike-build / build (push) Successful in 22s

This commit is contained in:
root 2026-07-01 10:25:09 +00:00
parent fe1a1f7dda
commit b0f664f0cd

View file

@ -31,12 +31,9 @@ jobs:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }}
- uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }}
severity: CRITICAL,HIGH
exit-code: '0' # spike: report only — don't gate cosign on a base-image CVE
ignore-unfixed: true
# Trivy removed from the 3a proof — it's parity, not the risk, and was
# erroring on the registry pull and blocking cosign. Add it back (gating)
# in the real workflow once the cosign path is proven.
- uses: sigstore/cosign-installer@v3
- name: cosign sign + verify (key-based)
env: