ci: Make Trivy scans non-blocking

MaciejTe · MaciejTe · commit 0c9aeec01814 · 2026-03-19T14:39:20.000+01:00
Signed-off-by: Maciek &lt;tomczukmaciej@gmail.com&gt;
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -26,6 +26,8 @@ jobs:
           echo "DNS_API_IMAGE=${IMAGE}" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner - DNS API
+        id: trivy-api
+        continue-on-error: true
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: ${{ env.DNS_API_IMAGE }}
@@ -38,6 +40,8 @@ jobs:
           echo "DNS_PROXY_IMAGE=${IMAGE}" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner - DNS Proxy
+        id: trivy-proxy
+        continue-on-error: true
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: ${{ env.DNS_PROXY_IMAGE }}
@@ -50,6 +54,8 @@ jobs:
           echo "DNS_FRONTEND_IMAGE=${IMAGE}" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner - DNS Frontend
+        id: trivy-frontend
+        continue-on-error: true
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: ${{ env.DNS_FRONTEND_IMAGE }}
@@ -62,6 +68,8 @@ jobs:
           echo "DNS_BLOCKLISTS_IMAGE=${IMAGE}" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner - DNS blocklists
+        id: trivy-blocklists
+        continue-on-error: true
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: ${{ env.DNS_BLOCKLISTS_IMAGE }}
@@ -74,7 +82,37 @@ jobs:
           echo "DNS_CHECK_IMAGE=${IMAGE}" >> $GITHUB_ENV
 
       - name: Run Trivy vulnerability scanner - DNS check
+        id: trivy-dnscheck
+        continue-on-error: true
         uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: ${{ env.DNS_CHECK_IMAGE }}
           trivy-config: ./.github/trivy.yaml
+
+      - name: Check Trivy scan results
+        if: always()
+        run: |
+          VULN_FOUND=false
+          if [ "${{ steps.trivy-api.outcome }}" = "failure" ]; then
+            echo "::warning::Trivy found vulnerabilities in DNS API image"
+            VULN_FOUND=true
+          fi
+          if [ "${{ steps.trivy-proxy.outcome }}" = "failure" ]; then
+            echo "::warning::Trivy found vulnerabilities in DNS Proxy image"
+            VULN_FOUND=true
+          fi
+          if [ "${{ steps.trivy-frontend.outcome }}" = "failure" ]; then
+            echo "::warning::Trivy found vulnerabilities in DNS Frontend image"
+            VULN_FOUND=true
+          fi
+          if [ "${{ steps.trivy-blocklists.outcome }}" = "failure" ]; then
+            echo "::warning::Trivy found vulnerabilities in DNS Blocklists image"
+            VULN_FOUND=true
+          fi
+          if [ "${{ steps.trivy-dnscheck.outcome }}" = "failure" ]; then
+            echo "::warning::Trivy found vulnerabilities in DNS Check image"
+            VULN_FOUND=true
+          fi
+          if [ "$VULN_FOUND" = "true" ]; then
+            echo "::warning::Vulnerabilities detected — review Trivy scan steps above and create a separate PR to upgrade affected dependencies"
+          fi
