Skip to content

fix: warn and suppress fail-on exit when fix mode is active in the Ac…#828

Merged
sonukapoor merged 4 commits into
OWASP:mainfrom
coder-Yash886:fix/action-fail-on-fix-mode
Jul 14, 2026
Merged

fix: warn and suppress fail-on exit when fix mode is active in the Ac…#828
sonukapoor merged 4 commits into
OWASP:mainfrom
coder-Yash886:fix/action-fail-on-fix-mode

Conversation

@coder-Yash886

Copy link
Copy Markdown
Contributor

Summary
When a workflow sets both fail-on and fix: true, the scan step exits non-zero on findings before the "Apply security fixes" step runs. CLI-level fail-on suppression only applies when --fix and --fail-on are passed in the same invocation; in the Action they run in separate steps, so that behavior never helped.

This change updates the "Run CVE Lite CLI scan" step in action.yml to:

Emit a GitHub Actions warning when fix: true and fail-on are both set, so users know fail-on has no effect in fix mode
Suppress the scan step exit code when fix: true is active (cve-lite ... || true), so the fix step always runs regardless of findings
Closes #792

Test plan

Run a workflow with fix: true and fail-on: high on a project that has high-severity findings — scan step should not fail the job, and "Apply security fixes" should run

Confirm the workflow logs show ::warning::fail-on is set but has no effect in fix mode... when both inputs are set

Run a workflow with fail-on: high and fix: false — scan step should still exit non-zero on matching findings (unchanged behavior)

Run a workflow with fix: true and no fail-on — fix step runs normally with no warning

@coder-Yash886

Copy link
Copy Markdown
Contributor Author

@sonukapoor Please review the Pr when you have free time

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good diagnosis and the INPUT_FIX env var addition is correct - inputs need to be explicitly declared in composite action steps. One thing to tighten before we merge: || true suppresses all non-zero exits including exit 3 (genuine errors like a missing lockfile), not just exit 1 (findings that hit the fail-on threshold).

Comment thread action.yml
Comment thread action.yml Outdated
@coder-Yash886 coder-Yash886 force-pushed the fix/action-fail-on-fix-mode branch from 8db1ef3 to 1efb616 Compare July 13, 2026 12:58
@coder-Yash886

Copy link
Copy Markdown
Contributor Author

@sonukapoor both the changes are addressed Now review the pr

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the feedback - the exit code logic is correct on all four paths, the INPUT_FIX wiring follows the existing pattern, and the warning message is much more accurate now. Great fix!

@sonukapoor sonukapoor merged commit 5947b28 into OWASP:main Jul 14, 2026
6 checks passed
@sonukapoor

Copy link
Copy Markdown
Collaborator

Merged - thank you @coder-Yash886!

@sonukapoor sonukapoor mentioned this pull request Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: warn and suppress fail-on exit when fix mode is active in the Action

2 participants