From 977df48644e0a7112dc25f9f04afa6d84ce87db9 Mon Sep 17 00:00:00 2001
From: josh <josh@joshjacobs.net>
Date: Fri, 22 Sep 2023 20:54:49 +0000
Subject: [PATCH] fix: only alert on CVEs that have a fix

---
 .github/workflows/docker-build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 206925b..56ce360 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -50,7 +50,10 @@ jobs:
         id: scan
         with:
           sbom: sbom.spdx.json
+          severity-cutoff: high
           fail-build: false
+          only-fixed: true
+          by-cve: true
 
       - name: upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@v2