Trivy code scanning check failing on PRs with large lockfile diffs

[pdettori]

Problem

The GitHub Advanced Security Trivy check (not our trivy-scan workflow) is failing on PRs that touch uv.lock files. This was observed on PR #252 (bundled Dependabot dependency update) where the check reported:

87 new alerts including 3 critical severity security vulnerabilities

Alerts not introduced by this pull request might have been detected because the code changes were too large.

Context

• Check name: Trivy (app: github-advanced-security)
• Tool: Trivy via GitHub code scanning (SARIF upload)
• Our trivy-scan workflow: Passes (this is a separate job in .github/workflows/security.yaml)
• Alert breakdown: 3 critical, 19 high, 42 medium, 23 low
• Results count: 291 findings in the full analysis
• Pre-existing?: Yes — the Scorecard tool also has 26 open alerts on main dating back to 2026-03-12

Root Cause Hypothesis

When uv.lock diffs are large (multiple dependency updates), Trivy rescans the entire lockfile and surfaces all pre-existing vulnerabilities in transitive dependencies as "new" alerts on the PR. These are not regressions — they exist on main as well.

RCA Checklist

• Confirm whether Trivy SARIF is uploaded by a workflow in this repo or configured at the org level
• Check if the same Trivy failures appear on main branch PRs (not just Dependabot)
• Identify the 3 critical-severity CVEs and determine if they are actionable (direct vs transitive deps)
• Evaluate whether to:
  • (a) Fix the critical/high CVEs by pinning or bumping transitive deps
  • (b) Suppress known false positives via .trivyignore
  • (c) Adjust the branch protection rule to not require this check
  • (d) Configure Trivy to only flag alerts introduced by the PR (if supported)

Related

• PR build(deps): bundle all Python dependency updates #252 — bundled Python dependency update (where this was first observed)
• 26 open Scorecard alerts on main (Pinned-Dependencies, Code-Review, Security-Policy, Vulnerabilities, Fuzzing, CII-Best-Practices)