ci: split vulnerability scans into critical-fail and high-warn tiers

[Aureliolo]

Summary

• Split Trivy scans into two steps per job: CRITICAL (exit-code 1, hard fail) and HIGH (exit-code 0, warn only) — both reference .trivyignore.yaml
• Change Grype severity-cutoff from high to critical — only CRITICAL vulns block the build
• Add .trivyignore.yaml with CVE-2026-22184 (disputed zlib untgz demo utility vuln — upstream disputes CVE validity, nginx-unprivileged maintainer closed as not-zlib)
• Add .grype.yaml with matching ignore entry for Grype parity

Motivation: The Docker workflow was failing on the web image due to CVE-2026-22184 (CVSS 9.3 CRITICAL) in Alpine's zlib package. The CVE affects only the untgz demo utility in contrib/, not core zlib compression. The zlib maintainer disputes the CVE and the nginx-unprivileged maintainer closed the issue. The base Alpine image hasn't been rebuilt with the patch.

New scan behavior per job:

Scanner	Severity	Behavior
Trivy	CRITICAL	Hard fail (exit-code 1)
Trivy	HIGH	Warn only (exit-code 0, visible in logs)
Grype	CRITICAL	Hard fail
Grype	HIGH	Allowed through (below cutoff)

Both scanners consume their respective ignore files for disputed/false-positive CVEs.

Test plan

• Docker workflow passes on this branch (web image no longer blocked by CVE-2026-22184)
• Trivy CRITICAL step uses .trivyignore.yaml (check logs for absence of CVE-2026-22184)
• Trivy HIGH step runs with exit-code 0 (succeeds even if HIGHs found)
• Grype uses severity-cutoff: critical and reads .grype.yaml
• Both backend and web jobs have identical scan configuration

Review coverage

• Auto-skipped agent review (no substantive code changes — CI workflow + scanner config only)
• Pre-commit hooks passed (check-yaml, gitleaks, commitizen)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the CI/CD vulnerability scanning process to prevent build failures caused by disputed or non-critical vulnerabilities. By introducing distinct critical-fail and high-warn tiers for Trivy scans and adjusting Grype's severity cutoff, the system now intelligently filters out false positives like CVE-2026-22184, which was previously blocking web image builds. This change aims to improve the efficiency of the development workflow by ensuring that only genuinely critical and relevant security issues halt the build process, without compromising overall security posture.

Highlights

• Vulnerability Scan Tiers: Split Trivy scans into two steps per job: CRITICAL (hard fail) and HIGH (warn only), both referencing .trivyignore.yaml.
• Grype Severity Cutoff: Changed Grype's severity-cutoff from high to critical, ensuring only critical vulnerabilities block the build.
• CVE Ignore Files: Added .trivyignore.yaml and .grype.yaml to ignore CVE-2026-22184, a disputed zlib vulnerability.

Changelog

• .grype.yaml
  • Added a new configuration file for Grype.
• .trivyignore.yaml
  • Added a new ignore file for Trivy.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/docker.yml

Activity

• The Docker workflow is expected to pass on this branch, resolving the CVE-2026-22184 blocking issue.
• Trivy CRITICAL step is configured to use .trivyignore.yaml for vulnerability filtering.
• Trivy HIGH step is configured to run with exit-code 0, allowing it to succeed even if high-severity issues are found (warn only).
• Grype is configured to use severity-cutoff: critical and read .grype.yaml for its scans.
• Both backend and web jobs are expected to have identical scan configurations.
• Agent review was auto-skipped as there were no substantive code changes, only CI workflow and scanner configuration.
• Pre-commit hooks (check-yaml, gitleaks, commitizen) passed successfully.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f77544b3-2a69-4b56-8fab-aa73491cfd9c

📥 Commits

Reviewing files that changed from the base of the PR and between 02243e3 and 0db2bd2.

📒 Files selected for processing (3)

• .github/workflows/docker.yml
• CLAUDE.md
• DESIGN_SPEC.md

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Split vulnerability scanning into two severity-tiered scans with distinct pass/fail behavior.
  • Added CI ignore configurations to exempt a specific non-core vulnerability from blocking releases.
• Documentation
  • Updated CI docs to describe scanning behavior, thresholds, and added notes on dependency checks and coverage.

Walkthrough

Splits Trivy scans in CI into two steps (critical = fail, high = warn) and adds synchronized ignore configs for CVE-2026-22184; updates Grype severity cutoff to critical and applies changes to backend and web workflows.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration .github/workflows/docker.yml	Replaces single Trivy step with two Trivy steps per job: "critical" (exit-code 1, severity CRITICAL, uses .trivyignore.yaml) and "high" (exit-code 0, severity HIGH, continue-on-error, uses .trivyignore.yaml). Updates Grype severity-cutoff from HIGH to CRITICAL. Applied to backend and web jobs.
Security Ignore Configurations .grype.yaml, .trivyignore.yaml	New files adding an ignore for CVE-2026-22184 with a multiline rationale stating it affects only a contrib demo (untgz) and is disputed upstream; files are documented as synchronized.
Documentation / Spec CLAUDE.md, DESIGN_SPEC.md	Minor documentation updates: explicitly documents scanning thresholds/behavior, notes added CI checklist items (dependency review, coverage), and mentions the new ignore config files.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions Runner
  participant TrC as Trivy (critical)
  participant TrH as Trivy (high)
  participant Gr as Grype
  participant GHCR as GHCR (registry)

  GH->>TrC: Run Trivy scan (severity=CRITICAL, exit-code=1)
  TrC-->>GH: Report findings (fail pipeline if CRITICAL found)
  alt no critical findings
    GH->>TrH: Run Trivy scan (severity=HIGH, exit-code=0, warn-only)
    TrH-->>GH: Report findings (warnings)
    GH->>Gr: Run Grype scan (severity-cutoff=CRITICAL)
    Gr-->>GH: Report findings (fail if critical)
    alt scans pass
      GH->>GHCR: Push images
    end
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: splitting vulnerability scans into two tiers (critical-fail and high-warn) in the CI workflow.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the split Trivy scans, Grype configuration changes, and CVE rationale.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/cve-triage-workflow

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch ci/cve-triage-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request intends to refine the vulnerability scanning process by distinguishing between critical and high-severity vulnerabilities and ignoring a specific CVE. While no new vulnerabilities were introduced by these changes, a critical typo in the CVE identifier (CVE-2026-22184 instead of CVE-2022-37434) in both .grype.yaml and .trivyignore.yaml will prevent the ignore rules from functioning as intended. Please correct the CVE identifier in both configuration files to ensure the desired vulnerability is properly ignored.

[gemini-code-assist]

There appears to be a typo in the CVE identifier. Based on the context and the links provided in the PR description, the correct identifier should be CVE-2022-37434, not CVE-2026-22184. With the current typo, Grype will not ignore the intended vulnerability, and the build may continue to fail.

  - vulnerability: CVE-2022-37434

[gemini-code-assist]

There seems to be a typo in the CVE identifier. The correct identifier for the disputed zlib vulnerability is CVE-2022-37434, not CVE-2026-22184. This typo will prevent Trivy from ignoring the vulnerability as intended.

  - id: CVE-2022-37434

[greptile-apps]

Greptile Summary

This PR refines the Docker CI vulnerability scanning strategy by splitting Trivy scans into a hard-failing CRITICAL tier and a warn-only HIGH tier, lowering Grype's severity cutoff to critical, and introducing .trivyignore.yaml / .grype.yaml config files to suppress the disputed CVE-2026-22184 across both scanners.

• Two-tier Trivy scan: CRITICAL findings hard-fail (exit-code 1); HIGH findings are surfaced as visible warnings in logs but never block the build (exit-code: "0"). Both steps are symmetric across build-backend and build-web.
• Grype cutoff lowered to critical: Grype now only blocks on CRITICAL findings. Unlike Trivy, Grype has no "warn-only" mode below the cutoff, so HIGH vulnerabilities are now completely invisible from Grype's output. Trivy's HIGH warn step is the only remaining surface for HIGH-severity findings.
• CVE-2026-22184 suppressed: Correctly added to both .trivyignore.yaml (with upstream-linked statement) and .grype.yaml (with matching reason). The Grype config is now explicitly wired via config: .grype.yaml, addressing the implicit-discovery concern raised in the previous review thread.
• continue-on-error: true is redundant on the HIGH Trivy step: exit-code: "0" already guarantees a passing step when vulnerabilities are found; adding continue-on-error: true on top goes further and silently swallows any scan infrastructure errors (DB download failures, image pull errors). This applies to both the build-backend (line 110) and build-web (line 221) jobs.

Confidence Score: 4/5

• Safe to merge — changes are well-scoped CI config with one minor style concern that doesn't affect correctness.
• The two-tier scan logic is correctly and symmetrically implemented across both jobs, the CVE suppression is well-documented with upstream references, and the Grype config is now explicitly wired. The only notable issue is that continue-on-error: true alongside exit-code: "0" is redundant and could mask scan tool infrastructure errors in the HIGH step — but in practice the CRITICAL step (which lacks continue-on-error) runs first and would catch most infrastructure failures before the HIGH step is reached.
• .github/workflows/docker.yml — review the continue-on-error: true on both HIGH Trivy scan steps.

Important Files Changed

Filename	Overview
.github/workflows/docker.yml	Splits Trivy scans into critical (hard fail) and high (warn-only) steps for both build jobs; lowers Grype cutoff from high to critical; adds explicit config: .grype.yaml wiring. Logic is sound and symmetric across both jobs. Minor: continue-on-error: true is redundant alongside exit-code: "0" and could silently mask scan infrastructure errors.
.trivyignore.yaml	New structured YAML ignore file for Trivy; suppresses CVE-2026-22184 with a well-documented statement and upstream references. Missing an expiry-date field (already noted in a previous review thread).
.grype.yaml	New Grype config file with a matching ignore entry for CVE-2026-22184. Correct vulnerability: key format for Grype's ignore schema. Kept in sync with .trivyignore.yaml as documented.
CLAUDE.md	CI section updated to reflect the new two-tier scan behavior and the two new CVE ignore config files. Documentation change only, accurate and complete.
DESIGN_SPEC.md	Adds .grype.yaml and .trivyignore.yaml entries to the project directory tree. Documentation change only.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Trivy_C as Trivy (CRITICAL)
    participant Trivy_H as Trivy (HIGH)
    participant Grype as Grype
    participant GHCR as GHCR

    GHA->>Trivy_C: Scan image — severity: CRITICAL, exit-code: 1
    Trivy_C-->>GHA: Reads .trivyignore.yaml
    alt CRITICAL found (not ignored)
        Trivy_C-->>GHA: exit 1 → workflow FAILS
    else No blocking CRITICALs
        Trivy_C-->>GHA: exit 0 → continue

        GHA->>Trivy_H: Scan image — severity: HIGH, exit-code: 0, continue-on-error: true
        Trivy_H-->>GHA: Reads .trivyignore.yaml
        Trivy_H-->>GHA: exit 0 (warn in logs, never blocks)

        GHA->>Grype: Scan image — severity-cutoff: critical, config: .grype.yaml
        Grype-->>GHA: Reads .grype.yaml (ignores CVE-2026-22184)
        alt CRITICAL found (not ignored)
            Grype-->>GHA: fail-build: true → workflow FAILS
        else No blocking CRITICALs
            Grype-->>GHA: pass → continue
            GHA->>GHCR: Push image + sign with cosign
        end
    end

Loading

_{Last reviewed commit: 0db2bd2}

[greptile-apps]

No expiry date on CVE suppression

Trivy's structured YAML ignore format supports an expiry-date field. Without it, this entry will silently suppress CVE-2026-22184 indefinitely — even after Alpine rebuilds its base image with a patched zlib. If the patch lands before the ignore entry is manually reviewed, future scans would still mask it with no alert.

Consider adding an expiry date (e.g. 90 days out) so the entry automatically becomes actionable if the upstream situation hasn't resolved by then:

Suggested change

	- id: CVE-2026-22184
	statement: >-
	Disputed zlib vulnerability affecting only the untgz demo utility
	in contrib/, not core zlib compression. Our images do not ship or
	invoke untgz. Upstream disputes CVE validity:
	https://github.com/madler/zlib/issues/1148
	nginx-unprivileged maintainer closed as not-zlib:
	https://github.com/nginx/docker-nginx-unprivileged/issues/381
	vulnerabilities:
	- id: CVE-2026-22184
	expiry-date: "2026-06-10"
	statement: >-
	Disputed zlib vulnerability affecting only the untgz demo utility
	in contrib/, not core zlib compression. Our images do not ship or
	invoke untgz. Upstream disputes CVE validity:
	https://github.com/madler/zlib/issues/1148
	nginx-unprivileged maintainer closed as not-zlib:
	https://github.com/nginx/docker-nginx-unprivileged/issues/381

Prompt To Fix With AI

This is a comment left during a code review.
Path: .trivyignore.yaml
Line: 4-11

Comment:
**No expiry date on CVE suppression**

Trivy's structured YAML ignore format supports an `expiry-date` field. Without it, this entry will silently suppress CVE-2026-22184 **indefinitely** — even after Alpine rebuilds its base image with a patched zlib. If the patch lands before the ignore entry is manually reviewed, future scans would still mask it with no alert.

Consider adding an expiry date (e.g. 90 days out) so the entry automatically becomes actionable if the upstream situation hasn't resolved by then:

```suggestion
vulnerabilities:
  - id: CVE-2026-22184
    expiry-date: "2026-06-10"
    statement: >-
      Disputed zlib vulnerability affecting only the untgz demo utility
      in contrib/, not core zlib compression. Our images do not ship or
      invoke untgz. Upstream disputes CVE validity:
      https://github.com/madler/zlib/issues/1148
      nginx-unprivileged maintainer closed as not-zlib:
      https://github.com/nginx/docker-nginx-unprivileged/issues/381
```

How can I resolve this? If you propose a fix, please make it concise.

[Copilot]

Pull request overview

This PR adjusts the Docker image security scanning workflow to fail builds only on CRITICAL vulnerabilities while still surfacing HIGH findings in logs, and adds scanner-specific ignore configurations for a disputed CVE.

Changes:

• Split Trivy scanning into CRITICAL (hard-fail) and HIGH (warn-only) steps for both backend and web images, both using .trivyignore.yaml.
• Lower Grype gating from high to critical via severity-cutoff: critical.
• Add .trivyignore.yaml and .grype.yaml with an ignore entry for CVE-2026-22184.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/docker.yml	Splits Trivy scans by severity and changes Grype cutoff to CRITICAL for backend and web jobs.
.trivyignore.yaml	Adds Trivy YAML ignore entry for CVE-2026-22184 with rationale/links.
.grype.yaml	Adds Grype ignore entry for CVE-2026-22184 to mirror Trivy’s ignore list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

.grype.yaml is added in this PR, but the Grype scan step doesn’t explicitly reference it (no config/args pointing to .grype.yaml). If anchore/scan-action doesn’t automatically discover repo-local config in its execution environment, the CVE ignore won’t apply and the job can still fail on CVE-2026-22184. Consider passing the config explicitly (or adding a note/assertion in the workflow logs) so it’s unambiguous that Grype is using the intended ignore list.

Suggested change

	severity-cutoff: critical
	severity-cutoff: critical
	grype-config: .grype.yaml

[Copilot]

.grype.yaml is added in this PR, but the Grype scan step doesn’t explicitly reference it (no config/args pointing to .grype.yaml). If anchore/scan-action doesn’t automatically discover repo-local config in its execution environment, the CVE ignore won’t apply and the job can still fail on CVE-2026-22184. Consider passing the config explicitly (or adding a note/assertion in the workflow logs) so it’s unambiguous that Grype is using the intended ignore list.

Suggested change

	severity-cutoff: critical
	severity-cutoff: critical
	grype-config: .grype.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker.yml:
- Around line 108-115: The Trivy step named "Trivy scan (high — warn only)"
currently sets exit-code: "0" but can still fail the job on unexpected errors;
update that job step to include continue-on-error: true so the workflow treats
this scan as a non-blocking warning. Locate the step with name "Trivy scan (high
— warn only)" (uses: aquasecurity/trivy-action@...) and add continue-on-error:
true alongside the existing with/exit-code and severity settings to make the
intent explicit and resilient.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 990890a9-ef9f-40b8-98ba-76aef2ffa787

📥 Commits

Reviewing files that changed from the base of the PR and between 435bdfe and 02243e3.

📒 Files selected for processing (3)

• .github/workflows/docker.yml
• .grype.yaml
• .trivyignore.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: Greptile Review

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/ai-company PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-10T18:49:27.779Z
Learning: Use `/aurelio-review-pr` to handle external reviewer feedback after PR exists

🔇 Additional comments (5)

.github/workflows/docker.yml (3)

208-224: Web job scan configuration mirrors backend — good consistency.

The identical scan configuration between backend and web jobs ensures uniform security posture across both images.

---

99-122: Backend scan configuration is well-structured.

The dual-scan pattern correctly separates concerns:

• CRITICAL vulnerabilities block the build (exit-code: "1")
• HIGH vulnerabilities are reported but don't fail (exit-code: "0")

The trivyignores: .trivyignore.yaml parameter is correct for trivy-action v0.35.0. Both Trivy steps and Grype are aligned on the critical-only blocking policy.

---

117-122: No action required — auto-detection will work correctly.

The .grype.yaml at the repository root will be picked up automatically by anchore/scan-action since the action does not override Grype's config auto-discovery. Grype's default behavior checks for ./.grype.yaml first, which matches your repository structure.

.grype.yaml (1)

1-8: Configuration is correct and properly placed.

The .grype.yaml file is correctly positioned at the repository root for auto-detection by the Grype scanner. The YAML syntax is valid, and the ignore entry for CVE-2026-22184 is properly structured with clear justification.

.trivyignore.yaml (1)

1-11: Well-documented ignore entry with proper audit trail.

The structured YAML format with upstream issue references provides excellent traceability for future audits. The justification clearly explains why this CVE is safe to ignore (affects only contrib/untgz demo utility, not shipped in images).

[greptile-apps]

continue-on-error: true masks scan infrastructure failures

exit-code: "0" already instructs Trivy to exit with code 0 when vulnerabilities are found, making continue-on-error: true redundant for the intended use case. However, the combination is subtly problematic: if Trivy encounters a genuine infrastructure error (DB download failure, image pull error, malformed config), it still exits non-zero — but continue-on-error: true will swallow that failure and mark the step as passed.

The CRITICAL step (no continue-on-error) running first provides a partial mitigation — if the infrastructure is broken, the critical scan would fail first. However, there's a narrow window where the critical step succeeds and the high step then encounters a transient error (flaky network on DB re-download, ephemeral runner issues), resulting in the HIGH scan being silently skipped rather than visibly errored.

Using exit-code: "0" alone is sufficient to make findings non-blocking, while still correctly surfacing scan infrastructure failures in the step output. Consider removing continue-on-error: true from both the build-backend (line 110) and build-web (line 221) jobs:

Suggested change

	- name: Trivy scan (high — warn only)
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	continue-on-error: true
	with:
	image-ref: ${{ steps.scan-ref.outputs.ref }}
	format: table
	exit-code: "0"
	severity: HIGH
	trivyignores: .trivyignore.yaml
	- name: Trivy scan (high — warn only)
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	image-ref: ${{ steps.scan-ref.outputs.ref }}
	format: table
	exit-code: "0"
	severity: HIGH
	trivyignores: .trivyignore.yaml

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/docker.yml
Line: 108-116

Comment:
**`continue-on-error: true` masks scan infrastructure failures**

`exit-code: "0"` already instructs Trivy to exit with code 0 when vulnerabilities are found, making `continue-on-error: true` redundant for the intended use case. However, the combination is subtly problematic: if Trivy encounters a genuine infrastructure error (DB download failure, image pull error, malformed config), it still exits non-zero — but `continue-on-error: true` will swallow that failure and mark the step as passed.

The CRITICAL step (no `continue-on-error`) running first provides a partial mitigation — if the infrastructure is broken, the critical scan would fail first. However, there's a narrow window where the critical step succeeds and the high step then encounters a transient error (flaky network on DB re-download, ephemeral runner issues), resulting in the HIGH scan being silently skipped rather than visibly errored.

Using `exit-code: "0"` alone is sufficient to make findings non-blocking, while still correctly surfacing scan infrastructure failures in the step output. Consider removing `continue-on-error: true` from both the `build-backend` (line 110) and `build-web` (line 221) jobs:

```suggestion
      - name: Trivy scan (high — warn only)
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
          image-ref: ${{ steps.scan-ref.outputs.ref }}
          format: table
          exit-code: "0"
          severity: HIGH
          trivyignores: .trivyignore.yaml
```

How can I resolve this? If you propose a fix, please make it concise.