scan-action icon indicating copy to clipboard operation
scan-action copied to clipboard

Published 20 hours ago verified publisher icon ShiftLeftSecurity

Fail a build on high severity vulnerabilities

Open nexxai opened this issue 4 years ago • 10 comments

Is there a way to tell the action that a high-severity vulnerability should result in a failed build?

For example: in my opinion, this should not result in a green check or a "Looks good" comment since there is 1 high vuln Screen Shot 2021-05-20 at 8 44 52 AM

nexxai avatar May 20 '21 14:05 nexxai

Hi @nexxai

The default build break rule accepts up to 2 high vulnerabilities - https://github.com/ShiftLeftSecurity/sast-scan/blob/master/lib/config.py#L1345

You can create a custom .sastscanrc file as explained below with your custom rule.

https://slscan.io/en/latest/integrations/tips/#config-file

prabhu avatar May 20 '21 16:05 prabhu

Perfect! Thank you for clarifying!

nexxai avatar May 20 '21 16:05 nexxai

Ok maybe I am asking for/expecting the wrong thing.

I added the .sastscanrc file and set the rules to fail correctly, because now it's showing a red X like this:

Screen Shot 2021-05-20 at 10 47 21 AM

but the build itself is still completing successfully and not actually failing like I would hope. Is there something else I need to do to have the tool return a non-zero exit code so that the workflow dies rather than progressing?

nexxai avatar May 20 '21 16:05 nexxai

@nexxai Interesting problem.

scan-action invokes scan with --no-error to support SARIF and reports upload feature.

https://github.com/ShiftLeftSecurity/scan-action/blob/master/action.yml#L31

To block PR you can scan command manually, store the exit code and do an exit as the last build step. Could you give this a try? If not I can share some example over the weekend.

prabhu avatar May 20 '21 17:05 prabhu

Would you be willing to accept a PR that accepts a flag like --error-on-fail and if positive turns the --no-error command line flag off?

nexxai avatar May 20 '21 18:05 nexxai

@nexxai the default behaviour is to break. So if you run scan without --no-error (fork scan-action or override args) it will break automatically.

prabhu avatar May 20 '21 19:05 prabhu

I mean submit a PR to this action so we don't need to run the command manually

nexxai avatar May 20 '21 20:05 nexxai

Could we assume that this bash test if [[ -n "$(cat reports/ngsast-report.findings.json | jq '.findings[]')" ]] is enough to achieve what @nexxai wants? I noticed that this file has his findings node empty when no error.

crazy-matt avatar Sep 07 '21 16:09 crazy-matt

@crazy-matt sure that is a fair assumption. However, note that the particular json is for NG SAST which is a ShiftLeft commercial product. In contrast, SARIF file format is generic and vendor independent. Perhaps, slscan could create another file with just the summary information which could be used for your use case?

prabhu avatar Sep 08 '21 11:09 prabhu

@prabhu thanks for the answer, I learnt about the NG product line existence in the process. Yeah that would work too. If the NG json isn't to be trusted when using the opensource version.

crazy-matt avatar Sep 08 '21 11:09 crazy-matt