fix: warn and suppress fail-on exit when fix mode is active in the Ac…#828
Open
coder-Yash886 wants to merge 1 commit into
Open
fix: warn and suppress fail-on exit when fix mode is active in the Ac…#828coder-Yash886 wants to merge 1 commit into
coder-Yash886 wants to merge 1 commit into
Conversation
Contributor
Author
|
@sonukapoor Please review the Pr when you have free time |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a workflow sets both fail-on and fix: true, the scan step exits non-zero on findings before the "Apply security fixes" step runs. CLI-level fail-on suppression only applies when --fix and --fail-on are passed in the same invocation; in the Action they run in separate steps, so that behavior never helped.
This change updates the "Run CVE Lite CLI scan" step in action.yml to:
Emit a GitHub Actions warning when fix: true and fail-on are both set, so users know fail-on has no effect in fix mode
Suppress the scan step exit code when fix: true is active (cve-lite ... || true), so the fix step always runs regardless of findings
Closes #792
Test plan
Run a workflow with fix: true and fail-on: high on a project that has high-severity findings — scan step should not fail the job, and "Apply security fixes" should run
Confirm the workflow logs show ::warning::fail-on is set but has no effect in fix mode... when both inputs are set
Run a workflow with fail-on: high and fix: false — scan step should still exit non-zero on matching findings (unchanged behavior)
Run a workflow with fix: true and no fail-on — fix step runs normally with no warning