DefGuard · j-chmielewski · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -32,7 +32,8 @@ jobs:
           format: 'spdx-json'
           output: "defguard-client-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
 
       - name: Upload SBOM
         uses: shogo82148/actions-upload-release-asset@v1

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -39,6 +39,15 @@ jobs:
         uses: actions/checkout@v5
         with:
           submodules: recursive
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
       - name: Cache
         uses: Swatinem/rust-cache@v2
       - name: Install required packages

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+# glib - transitive dependency
+GHSA-wrw7-89jp-8q8g exp:2025-11-05
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# glib - transitive dependency
		GHSA-wrw7-89jp-8q8g exp:2025-11-05