From fdcb280dae60c8ec4498bff956d3992b910c3cb7 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Mon, 20 Apr 2026 13:38:33 +0300
Subject: [PATCH] ci: raise grype severity cutoff from medium to high

Medium-severity vulnerabilities in base images and transitive deps
routinely block container builds (e.g. PR #509 Pinecone MCP) even when
no fix is available upstream. Only fail the build on high/critical
findings; medium and below still upload to the Security tab via SARIF.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-containers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 0f386ec..2e5830a 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -539,7 +539,7 @@ jobs:
         uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
           image: "local-scan:${{ steps.meta.outputs.server_name }}-${{ steps.meta.outputs.version }}"
-          severity-cutoff: "medium"
+          severity-cutoff: "high"
           output-format: "sarif"
 
       - name: Upload Grype results to GitHub Security