Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -236,9 +236,14 @@ runs:
INPUT_CHECK_OVERRIDES: ${{ inputs.check-overrides }}
INPUT_AUDIT_LOG: ${{ inputs.audit-log }}
INPUT_REPORT: ${{ inputs.report }}
INPUT_FIX: ${{ inputs.fix }}
run: |
set -euo pipefail

if [[ "${INPUT_FIX}" == "true" && -n "${INPUT_FAIL_ON}" ]]; then
echo "::warning::fail-on is set with fix: true - job failure is suppressed so the fix step can run. Add a second scan step without fix: true if you want to gate on remaining findings after fixing."
fi

args=("${PROJECT_PATH}")

if [[ "${INPUT_ALL}" == "true" ]]; then
Expand Down Expand Up @@ -295,9 +300,14 @@ runs:
args+=("--report" "${INPUT_REPORT}" "--no-open")
fi

Comment thread
coder-Yash886 marked this conversation as resolved.
# set -e propagates the scan exit code, including exit 2 when a --fix
# verify pass fails, so the job fails the same way the CLI does.
cve-lite "${args[@]}"
if [[ "${INPUT_FIX}" == "true" ]]; then
cve-lite "${args[@]}" || EXIT_CODE=$?
if [[ "${EXIT_CODE:-0}" -gt 1 ]]; then
exit "${EXIT_CODE:-0}"
fi
else
cve-lite "${args[@]}"
fi

- name: Apply security fixes
if: ${{ inputs.fix == 'true' }}
Expand Down