I am running the trivy vulnerability scan on the docker image in the git action pipeline.

Below is the code.
- name: Run Trivy vulnerability scanner on a container uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: image-ref: '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}' format: 'sarif' severity: 'CRITICAL,HIGH,MEDIUM' output: 'trivy-container-results.sarif' ignore-unfixed: true timeout: ${{ inputs.timeout }}

The above code is working and giving the results based on the severity of the application and it is ignoring unfixed OS fixes(HIGH, MEDIUM and CRITICAL) and LOW fixes as well. Now if I make ignore-unfixed: false then it is giving all the ignored OS fixes along with "LOW severity".

Requirement is:
If I use ignore-unfixed: false and there is a severity CRITICAL, HIGH, and MEDIUM. The output should be application issues and OS issues in the output file based on severity. It should not be LOW and other issues.

Please suggest how to achieve it.

For reference:

The issue has been discussed in the below section
aquasecurity/trivy#1687 (reply in thread)