Security: Enforce Trivy security scan failures for detected vulnerabilities

[coderabbitai]

Problem Description

The newly added Trivy security scanning workflow in .github/workflows/security.yaml is configured with exit-code: '0', which causes the security check to always pass even when CRITICAL vulnerabilities are detected. This undermines the security gate's effectiveness and allows vulnerable code to proceed unchecked.

Current Configuration

- name: Trivy scan
  uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4
  with:
    scan-type: 'fs'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'MEDIUM,HIGH,CRITICAL'
    exit-code: '0'  # ❌ Never fails, even for CRITICAL vulnerabilities
    ignore-unfixed: false

Security Impact

• CRITICAL and HIGH severity vulnerabilities can pass through unchecked
• Security gate bypass - defeats the purpose of vulnerability scanning
• No visibility in PR checks - vulnerabilities only appear in Security tab
• Delayed remediation - issues discovered after merge instead of during development

Solution Options

Option 1: Immediate Full Enforcement (Recommended)

exit-code: '1'  # Fail on any detected vulnerability (MEDIUM+)

Option 2: Phased Enforcement (Conservative)

severity: 'HIGH,CRITICAL'  # Only scan for severe issues initially
exit-code: '1'             # Fail on HIGH and CRITICAL

Option 3: Critical-Only Enforcement

severity: 'CRITICAL'       # Most restrictive - only CRITICAL issues
exit-code: '1'             # Fail on CRITICAL vulnerabilities

Acceptance Criteria

Phase 1: Basic Enforcement

• Remove or modify exit-code: '0' configuration
• Verify security scan fails when vulnerabilities are detected
• Test with known vulnerable dependencies to confirm gate works
• Document severity levels that trigger failures

Phase 2: Process Integration

• Update contribution guidelines to mention security scanning requirements
• Add documentation on handling security scan failures
• Establish process for vulnerability remediation vs. acceptable risk decisions
• Configure appropriate notifications for security team

Phase 3: Monitoring & Refinement

• Monitor false positive rates and tune severity thresholds if needed
• Establish SLA for vulnerability remediation based on severity
• Consider allowlist mechanism for accepted risks (if required)

Implementation Guidance

Recommended Immediate Action

- exit-code: '0'
+ exit-code: '1'

Testing Approach

1. Create test branch with known vulnerable dependency
2. Trigger security workflow and verify it fails appropriately
3. Test SARIF upload continues to work even when scan fails
4. Verify GitHub Security tab still receives results

Risk Mitigation

• Start with HIGH,CRITICAL severity only if concerned about initial impact
• Monitor first few weeks for unexpected failures
• Maintain SARIF upload even on scan failures for visibility

Context

• PR: [2024b] NO-JIRA: add(gha): trivy security scanning of sources #1425
• Comment: [2024b] NO-JIRA: add(gha): trivy security scanning of sources #1425 (comment)
• Workflow File: .github/workflows/security.yaml
• Requested by: @jiridanek

Additional Notes

This issue follows the established pattern of systematic security improvements in the repository. The Trivy scan currently provides visibility through SARIF uploads but lacks enforcement capability, which is essential for maintaining security standards in the development pipeline.