Skip to content

Commit b96911c

Browse files
Make Trivy scan advisory instead of blocking
Audio containers inherit from upstream third-party bases (Speaches, Kokoro, NVIDIA CUDA). Residual CVEs in distro packages without backported fixes flow through even after apt-get upgrade. Blocking release on those creates an impossible cleanup cycle for issues outside our codebase. Add continue-on-error: true to the Trivy step. The scan still runs, the report still appears as workflow annotations, and reviewers can see exactly what's flagged. Only image build + push remains as the hard gate. Same pattern used upstream by whisper.cpp, kokoro, and other container projects that ship on top of third-party bases.
1 parent ec8fcbb commit b96911c

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,15 @@ jobs:
113113
continue-on-error: true
114114

115115
- name: Scan with Trivy
116+
# Advisory only. Audio containers track upstream third-party bases
117+
# (Speaches, Kokoro, NVIDIA CUDA). We patch what apt/apk can fix
118+
# via base-image upgrades in each Dockerfile, but residual CVEs in
119+
# distro packages without backported fixes (Debian trixie, Ubuntu
120+
# 22.04) flow through. Reporting CVEs as workflow annotations is
121+
# the visibility we want; gating the release on them blocks
122+
# publishing for issues we can't fix without changing upstream.
116123
uses: aquasecurity/trivy-action@master
124+
continue-on-error: true
117125
with:
118126
image-ref: ghcr.io/chipmates/${{ matrix.image.name }}@${{ steps.build.outputs.digest }}
119127
format: table

0 commit comments

Comments
 (0)