checkov-action icon indicating copy to clipboard operation
checkov-action copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

GitHub actions never fail

Open kralablee opened this issue 3 years ago • 3 comments

The tool works really well & I'd love to adopt it across the board, however, it doesn't matter what I put into the: soft_fail: setting it never fails & never feeds back to the pull request. The snip of the output of the tool shows this:

"ARM/" "" "CKV_AZURE_17" "true" "false" "arm" "" "" "github_failed_only" "true" "WARNING" input_soft_fail:false running checkov on directory: ARM/

Which does indicate that the entrypoint.sh is getting the setting correctly, but it just doesn't feedback a failure.

kralablee avatar Apr 20 '21 13:04 kralablee

I have a similar issue: the output shows many errors, I have soft_fail: false but still both the job and the step where the action is used show as successful. Is there a way to force the action to make the job/step fail for failures found?

joferrao avatar Apr 20 '21 13:04 joferrao

Another tip to make it more friendly: The tool should also generate and upload the SARIF file. This way the security vulnerabilities are captured in the securities tab.

dhishan avatar May 19 '21 23:05 dhishan

@dhishan The SARIF upload functionality was added since your comment as I'm using this successfully to get the alerts in my GitHub repo's Security tab.

HariSekhon avatar Feb 22 '22 10:02 HariSekhon

support for SARIF output was added quite a while ago and it works correctly for a while.

gruebel avatar Mar 20 '23 21:03 gruebel