From 59685393f072e12e77743e05bd6dcaeb9ee0b1c9 Mon Sep 17 00:00:00 2001 From: Webnestify Date: Thu, 28 May 2026 21:03:38 +0200 Subject: [PATCH] Fix CVE gate hard-failing on baseline runs cve-delta.py applied --fail-on even when there was no previous scan to diff against, so any PR adding a brand-new image (no base-branch counterpart) tripped the gate on that image's pre-existing CVEs. A baseline run has no prior state and cannot represent a regression, so report the findings informationally and return 0 instead of exit 2. --- .github/scripts/cve-delta.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/scripts/cve-delta.py b/.github/scripts/cve-delta.py index 3355bb3..e9eb526 100755 --- a/.github/scripts/cve-delta.py +++ b/.github/scripts/cve-delta.py @@ -133,7 +133,16 @@ def render_list(label: str, items: list) -> None: total_r = severity_counts(total_removed) print("# CVE delta\n") if not previous_files: - print("_No previous scan to diff against — this is a baseline run._\n") + print("_No previous scan to diff against — this is a baseline run; " + "nothing to compare against, so no regression can be detected._\n") + if per_image_lines: + print("## Per-image CVEs (informational)\n") + print("\n".join(per_image_lines)) + # No prior state exists, so the PR cannot have *introduced* a CVE + # regression. Report the findings but never hard-fail here — otherwise + # every brand-new image (which by definition has no base scan) trips + # the gate. New images are reviewed when their template is added. + return 0 elif changed_images == 0: print("**No changes.** Every image's CVE set is identical to the previous scan.\n") return 0