From 8d1e7dded0ff0f5f8d5831ff7ed21373c443b0a6 Mon Sep 17 00:00:00 2001
From: Maurice <61554723+mauriceboe@users.noreply.github.com>
Date: Mon, 15 Jun 2026 10:21:39 +0200
Subject: [PATCH] ci(security): only fail Docker Scout on fixable CVEs

Add only-fixed so the scan no longer fails on vulnerabilities with no
upstream fix available (e.g. base-image OS packages), and only flags
actionable, fixable findings.
---
 .github/workflows/security.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 9cc8577d..88755200 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -34,4 +34,5 @@ jobs:
           command: cves
           image: trek:scan
           only-severities: critical,high
+          only-fixed: true
           exit-code: true