Skip to content

Phase 2b: add --fail-on gate and CI-friendly 0/1/2/3 exit codes#120

Merged
advaitpatel merged 1 commit into
mainfrom
feat/fail-on-exit-codes
Jul 1, 2026
Merged

Phase 2b: add --fail-on gate and CI-friendly 0/1/2/3 exit codes#120
advaitpatel merged 1 commit into
mainfrom
feat/fail-on-exit-codes

Conversation

@advaitpatel

Copy link
Copy Markdown
Collaborator

Summary

Adds a --fail-on <severity> CI gate and standardizes exit codes to a conventional
0/1/2/3 scheme so DockSec can gate builds and be scripted reliably. Second of the
Phase 2 sequence.

Changes

  • --fail-on <severity> (CRITICAL/HIGH/MEDIUM/LOW): exit 1 when any structured finding
    (image vulnerability or compose misconfiguration) is at or above the threshold.
  • When --fail-on is below the requested --severity, the scan severity is widened
    automatically so the gate can observe those findings (with an info message).
  • Exit codes: 0 clean, 1 findings at/above --fail-on, 2 usage/argument error,
    3 tool/runtime error. Phase 1's scan-failure exit moves from 1 to 3 for consistency.
  • Added Severity.rank() / Severity.gate_levels() helpers.

Notes

  • The gate operates on structured findings (json_data); Hadolint lint warnings are not
    severity-ranked and do not trip the gate.
  • No default behavior change: without --fail-on, a clean run still exits 0.

Testing

  • ruff check . passes.
  • pytest: 114 passed (new test_enums.py; gate helper + exit-code integration tests).
  • Manual exit-code matrix verified: usage=2, invalid fail-on=2, image-not-found=3,
    gate hit=1, clean/below-threshold=0, auto-widen fires.

@advaitpatel advaitpatel merged commit 6440301 into main Jul 1, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant