Skip to content

Commit 9126206

Browse files
nocomplexitynocomplexity
committed
fix
1 parent 88cfe93 commit 9126206

1 file changed

Lines changed: 17 additions & 8 deletions

File tree

src/codeaudit/ci_workflowscan.py

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,19 @@
2020

2121
def ci_scan(input_path, output="text", nosec=True):
2222
"""Basic SAST scan to be used in CI workflows
23-
The nosec is set to true for CI workflows by default, it can be changed
24-
Security weakness SHOULD be marked for an exit 0 status in your CI
2523
26-
Note: If you use JSON output you will have an exit status 0, since you have to determine yourself if there are weaknesses found in your code.
24+
The nosec is set to true for CI workflows by default, it can be changed.
25+
Security weakness SHOULD be marked for an exit 0 status in your CI.
2726
28-
Set an options in your CI job like e.g. allow_failure:True since jobs that run can result in detecting weaknesses and this is no failure of the job!
27+
Note: If you use JSON output you will have an exit status 0, since you have to
28+
determine yourself if there are weaknesses found in your code.
29+
30+
Set an option in your CI job like e.g. allow_failure: true since jobs that run
31+
can result in detecting weaknesses and this is no failure of the job!
2932
"""
3033
try:
3134
scanresult = filescan(input_path, nosec=nosec)
35+
3236
# collect and return info from scanned files
3337
if output == "text":
3438
result, security_status = report_result_txt(scanresult)
@@ -44,12 +48,17 @@ def ci_scan(input_path, output="text", nosec=True):
4448
result = f"ERROR: Unsupported format '{output}'"
4549
print(result, file=sys.stderr)
4650
sys.exit(1)
47-
if security_status == 0: # no files with weakness found - or properly marked!
48-
sys.exit(0) # correct finish
51+
52+
# Exit codes:
53+
# 0 = clean (no weaknesses or properly marked with nosec)
54+
# 3 = weaknesses found (allowed in CI via allow_failure: true)
55+
if security_status == 0:
56+
sys.exit(0) # clean finish
4957
else:
50-
sys.exit(3) # finish with detected weakness
58+
sys.exit(3) # weaknesses found → job "failed" but pipeline continues
59+
5160
except Exception as e:
52-
# Log the actual error 'e' for debugging CI failures
61+
# Log the actual error for debugging CI failures
5362
print(f"ERROR: Scan failed. Details: {e}", file=sys.stderr)
5463
sys.exit(1)
5564

0 commit comments

Comments
 (0)