From 9eb8ba86118f23bea426454d40ee78c0658a1843 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Tue, 21 Apr 2026 11:00:26 +0300
Subject: [PATCH] ci: set only-fixed on grype scan to skip CVEs without a fix

Grype currently fails build-containers on HIGH+ CVEs even when upstream
has no available fix (e.g. CVE-2026-32631 git, CVE-2026-27135 nghttp2-libs
on Alpine). These block new spec.yaml PRs on base-image drift that the
PR author cannot resolve. With only-fixed: true, grype only fails on
vulnerabilities that actually have a remediation path, so the gate keeps
its meaning without blocking on nothing-to-do findings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-containers.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index b7f9166..5360cc3 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -540,6 +540,7 @@ jobs:
         with:
           image: "local-scan:${{ steps.meta.outputs.server_name }}-${{ steps.meta.outputs.version }}"
           severity-cutoff: "high"
+          only-fixed: "true"
           output-format: "sarif"
 
       - name: Upload Grype results to GitHub Security