feat: --fail-on severity gate + SARIF parity for agent/CI gating#6
Merged
Conversation
cloudgov could only report findings, never gate on them, and emitted SARIF for just 5 of its security domains — both block clean use in CI pipelines and in the fab merge-gate. This adds a severity-based exit-code contract and rounds out SARIF coverage. First part of the AI-agent-readiness plan; the MCP server + AGENTS.md follow separately. ─── Exit-code gate (--fail-on) ─── - cmd/gate.go (new): a generic gate[T](items, sev) helper and gateBool(cond), plus the package exitCode/failOn vars. Exit codes are now 0 = clean, 1 = command error (unchanged), 2 = a finding met or exceeded the --fail-on threshold. Reuses cloud.SeverityRank. - cmd/root.go: new persistent --fail-on <severity> flag (CRITICAL/HIGH/MEDIUM/LOW); Execute() exits with the gate code on the success path. Default behaviour (flag unset) is unchanged. - Wired into the security/posture commands: iam scan, storage audit, network audit, certs, tags, secrets, audit, k8s rbac, lambda audit (severity-gated); compliance (gates on failed-control severity); drift (gates on any modified/deleted resource). cost/orphans/quota/inventory are intentionally not gated — they aren't pass/fail checks. ─── SARIF parity ─── - internal/output/sarif.go: new WriteK8sSARIF, WriteLambdaSARIF, WriteComplianceSARIF, WriteDriftSARIF, plus a shared sarifReport/encodeSARIF helper. Compliance maps failed controls to their severity level and omits passes; drift maps modified->warning / deleted->error and omits in-sync. - Wired `--output sarif` into k8s rbac, lambda audit, compliance, and drift (joining iam/storage/network/certs/secrets/audit). cost/orphans/quota/inventory stay JSON-only — SARIF isn't the right format for non-security findings. ─── Tests ─── - cmd/gate_test.go (new): table-driven coverage of the gate threshold logic and gateBool (the cmd package had no tests before). - internal/output/sarif_test.go: round-trip tests for the four new writers (valid SARIF 2.1.0, level mapping, pass/in-sync omission) and the new rule builders. Verification: go build ./..., go test ./..., go vet ./..., and golangci-lint v2.12.2 (uncapped) all pass. Binary confirmed: --fail-on is registered and k8s/lambda/compliance/drift advertise the sarif output format. End-to-end exit-code behaviour against live findings needs cloud creds; the gate logic itself is unit-tested. Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See the commit message for full detail. First part of the approved AI-agent-readiness plan (the MCP server +
AGENTS.mdfollow in a separate PR so the new dependency is reviewed in isolation).Summary
--fail-on <severity>exit-code gate — exit2when any finding meets/exceeds the threshold (1stays reserved for command errors,0= clean). Newcmd/gate.go(gate[T]/gateBool), wired into iam/storage/network/certs/tags/secrets/audit/k8s-rbac/lambda (severity), compliance (failed-control severity), and drift (any modified/deleted). Cost/orphans/quota/inventory intentionally ungated.k8s rbac,lambda audit,compliance,drift, joining the existing five domains. Cost/orphans/quota/inventory stay JSON-only (SARIF isn't for non-security findings).cmd/gate_test.go(first tests in the cmd package) + round-trip cases ininternal/output/sarif_test.go.Verification
go build,go test ./...,go vet, and golangci-lint v2.12.2 (uncapped) all pass. Binary confirms the--fail-onflag and the newsarifoutput formats. (E2E exit-code behaviour against live findings needs cloud creds; gate logic is unit-tested.)Follow-on (next PR)
cloudgov mcpserve mode +AGENTS.md— makes cloudgov a first-class MCP tool for fab agents. Adds the one new dependency (Go MCP SDK).