Skip to content

Commit 167acba

Browse files
mnenciamnencia
authored
fix(security-scans): use step outcome instead of conclusion for snyk (#392)
The Snyk step uses `continue-on-error: true`, which overrides `conclusion` to `success` even when Snyk fails. The downstream steps checking `steps.snyk.conclusion` would always run, causing the pipeline to break when Snyk didn't produce a sarif file. Use `outcome` instead, which reflects the actual result of the step before `continue-on-error` is applied. Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
1 parent fdc11ef commit 167acba

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

.github/actions/security-scans/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,14 +51,14 @@ runs:
5151
args: --severity-threshold=high --file=${{ inputs.dockerfile }}
5252

5353
- name: Replace sarif security-severity invalid values
54-
if: ${{ steps.snyk.conclusion == 'success' }}
54+
if: ${{ steps.snyk.outcome == 'success' }}
5555
shell: bash
5656
run: |
5757
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
5858
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
5959
6060
- name: Upload result to GitHub Code Scanning
6161
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
62-
if: ${{ steps.snyk.conclusion == 'success' }}
62+
if: ${{ steps.snyk.outcome == 'success' }}
6363
with:
6464
sarif_file: snyk.sarif

0 commit comments

Comments
 (0)