fix: need a default threshold for failure threshold (#186)

owenrumney · Copilot · web-flow · commit 6436b6823167 · 2025-06-11T23:55:34.000+01:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/trivy-task/trivyV1/task.json b/trivy-task/trivyV1/task.json
@@ -10,8 +10,8 @@
   "author": "Aqua Security",
   "version": {
     "Major": 1,
-    "Minor": 18,
-    "Patch": 2
+    "Minor": 19,
+    "Patch": 1
   },
   "instanceNameFormat": "Echo trivy $(version)",
   "groups": [
diff --git a/trivy-task/trivyV2/index.ts b/trivy-task/trivyV2/index.ts
@@ -93,9 +93,6 @@ function highestSeverityBreached(
   inputs: TaskInputs,
   resultsFilePath: string
 ): boolean {
-  if (!inputs.failOnSeverityThreshold) {
-    return false;
-  }
   task.debug(`Fail on severity threshold: ${inputs.failOnSeverityThreshold}`);
 
   const severityThreshold = inputs.failOnSeverityThreshold.toUpperCase();
@@ -132,18 +129,30 @@ function checkScanResult(exitCode: number, inputs: TaskInputs) {
   );
 
   task.debug(`Highest severity breached: ${isHighestSeverityBreached}`);
-  if (exitCode === 2 && inputs.ignoreScanErrors && isHighestSeverityBreached) {
-    task.setResult(task.TaskResult.SucceededWithIssues, 'Issues found.');
-  } else if (
-    exitCode === 2 &&
-    !inputs.ignoreScanErrors &&
-    isHighestSeverityBreached
-  ) {
-    task.setResult(task.TaskResult.Failed, 'Issues found.');
-  } else if (exitCode === 2 && !highestSeverityBreached) {
-    task.setResult(task.TaskResult.Succeeded, 'No issues found.');
+  if (exitCode === 2 && inputs.ignoreScanErrors) {
+    if (isHighestSeverityBreached) {
+      task.setResult(task.TaskResult.SucceededWithIssues, 'Issues found.');
+      return;
+    } else {
+      task.setResult(
+        task.TaskResult.Succeeded,
+        'Issues found but ignoring scan errors as per configuration.'
+      );
+      return;
+    }
+  } else if (exitCode === 2 && !inputs.ignoreScanErrors) {
+    if (isHighestSeverityBreached) {
+      task.setResult(task.TaskResult.Failed, 'Issues found.');
+    } else {
+      task.setResult(
+        task.TaskResult.Succeeded,
+        'No issues found.'
+      );
+    }
+    return;
   } else {
     task.setResult(task.TaskResult.Failed, 'Trivy runner error.', true);
+    return;
   }
 }
 
diff --git a/trivy-task/trivyV2/inputs.ts b/trivy-task/trivyV2/inputs.ts
@@ -47,7 +47,7 @@ export function getTaskInputs(): TaskInputs {
     showSuppressed: task.getBoolInput('showSuppressed', false),
     ignoreScanErrors: task.getBoolInput('ignoreScanErrors', false),
     failOnSeverityThreshold:
-      task.getInput('failOnSeverityThreshold', false) ?? '',
+      task.getInput('failOnSeverityThreshold', false) ?? 'UNKNOWN', // default to UNKNOWN
     reports: task.getDelimitedInput('reports', ',').map((s) => s.trim()),
     publish: task.getBoolInput('publish', false),
     templates: task.getInput('templates', false),
diff --git a/trivy-task/trivyV2/task.json b/trivy-task/trivyV2/task.json
@@ -10,8 +10,8 @@
   "author": "Aqua Security",
   "version": {
     "Major": 2,
-    "Minor": 5,
-    "Patch": 2
+    "Minor": 6,
+    "Patch": 1
   },
   "instanceNameFormat": "Echo trivy $(version)",
   "groups": [
