From cdd41b50631c7ed42478cd25ff75aa4cef0cfe96 Mon Sep 17 00:00:00 2001
From: Noam Brendel <139764378+cx-noam-brendel@users.noreply.github.com>
Date: Mon, 27 Apr 2026 12:02:42 +0300
Subject: [PATCH] fix(security): restore iac-security-high threshold to 1
 (CISO-914)

Reverts commit 550d8a18 which changed iac-security-high from 1 to 2,
silently allowing one IaC high-severity vulnerability to pass the
security gate undetected. All thresholds should be consistent at 1.
---
 .github/workflows/checkmarx-one-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
index b189156..212fe04 100644
--- a/.github/workflows/checkmarx-one-scan.yml
+++ b/.github/workflows/checkmarx-one-scan.yml
@@ -22,4 +22,4 @@ jobs:
           cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
           cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
           cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-          additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=2;iac-security-medium=1;iac-security-low=1;"
+          additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;"