From bd2e8feff69fed1b638ec31ff3c7b97e56def4ed Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation>
Date: Wed, 15 Apr 2026 00:28:56 +0000
Subject: [PATCH] fix: add only-fixed flag to Grype scans to skip unfixable
 CVEs

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fb0254b..202a9ef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -170,6 +170,7 @@ jobs:
           image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
           severity-cutoff: high
+          only-fixed: "true"
           output-format: sarif
 
       - name: Upload frontend scan results to GitHub Security
@@ -266,6 +267,7 @@ jobs:
           image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
           severity-cutoff: high
+          only-fixed: "true"
           output-format: sarif
 
       - name: Upload auth scan results to GitHub Security
@@ -351,6 +353,7 @@ jobs:
           image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
           severity-cutoff: high
+          only-fixed: "true"
           output-format: sarif
 
       - name: Upload receiptwitness scan results to GitHub Security
@@ -436,6 +439,7 @@ jobs:
           image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
           fail-build: true
           severity-cutoff: high
+          only-fixed: "true"
           output-format: sarif
 
       - name: Upload api scan results to GitHub Security