feat(trivy): default severity to all levels for cross-scanner dedup

[sg0nzalez]

Summary

• Change Muninn’s default Trivy severity from CRITICAL,HIGH to all Trivy levels (UNKNOWN through CRITICAL), matching Trivy’s native --severity default.
• osv-scanner and Trivy now overlap on medium/low npm advisories out of the box, so cross-scanner dedup and PR comment Detected by lines work without extra consumer config.
• Consumers can still narrow what Trivy reports via scanners.trivy.severity; fail-on remains the knob for which findings fail the run.

Motivation

Consumer repos (e.g. flightlogs-web) were seeing dependency findings with Detected by: osv-scanner only. That was expected: Trivy’s old default filtered out medium/low severities while osv-scanner reported everything. Widening the default follows a scan wide, fail narrow model.

What changed

• internal/config.DefaultTrivySeverities — single source of truth for the default list
• Defaults() and trivy.buildArgs() — use all levels when no override is set
• Docs, tests, muninn.yml, and CI dedup workflow updated for v0.3.3

Consumer impact

Before	After
Trivy default: CRITICAL, HIGH	Trivy default: all levels
Medium/low deps often osv-only	osv + trivy dedup by default
fail-on: critical (default)	unchanged

Repos that want the old behavior can opt in:

yaml
scanners:
  trivy:
    severity: [CRITICAL, HIGH]
    ignore-unfixed: true

Note: defining scanners: replaces the entire scanner map — list every scanner you still want enabled.

Test plan

• go test ./...
• go test ./integration/...
• CI green on PR
• Spot-check a consumer repo PR comment shows Detected by: osv-scanner, trivy on shared medium/low advisories

[github-actions]

🐦‍⬛ Muninn Security Scan

✅ No security issues found.

🐦‍⬛ Powered by Muninn · Skald Lab