Thanks @RDeaton for the report!
It’s not you. I set this up locally to check our latest release and there seems to be an issue in the action with the two options of severity-cutoff and fail-build not respecting each other. I do not think there should be a default for severity-cutoff which is what’s passing --fail-on medium to the program.
If fail-build is false then it shouldn’t matter what is passed to severity-cutoff, but the program is not behaving in this way.
The registry-username and registry-password are correctly working, but need to be added as expected inputs in the next release. The warning is a red hearing here.
A second bug was also discovered here with the Sarif output since I tested an image without a medium severity to fail on.
Combining SARIF files using the CodeQL CLI
Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
Error: Resource not accessible by integration
If there isn’t a relevant github issue for this would you file one?
I can take a look again when I have some extra cycles and get a new build released that should work in the way you’re describing - apologies for the bugs here.