Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Action: How to fail job if cfn-nag throws errors? #582

Open
andrewlytle opened this issue Dec 1, 2021 · 3 comments
Open

GitHub Action: How to fail job if cfn-nag throws errors? #582

andrewlytle opened this issue Dec 1, 2021 · 3 comments

Comments

@andrewlytle
Copy link

Currently when cfn_nag returns failures, my Github Action will continue happily. How can I make sure the job is cancelled if the cfn_nag returns problems?
@marcus-vw
Copy link

marcus-vw commented Jan 6, 2022
edited

I think everybody should have the problem because the implementation of the Github Action looks like this:

cfn_nag_scan ${EXTRA_ARGS} --input-path "${INPUT_INPUT_PATH}" | tee "${INPUT_OUTPUT_PATH}"

The pipe will swallow the exit code of the cfn_nag_scan command. In case you would like to fail your Github Workflow if there are any failures you could use a dedicated step after the cfn nag scan:

...
  - uses: stelligent/cfn_nag@master
     with:
       input_path: templates

  - name: Fail if cfn_nag scan contains failures
     # sum cfn_nag failures and return it as exit code 
     run: |
          exit `grep Failures cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

In case you use the output_path parameter for cfn_nag, keep in mind to change the exit grep Failures cfn_nag.out...` line

@codequokka
Copy link

A tweaked version of the marcus-vw's.

This version also counts Warnings.
I have confirmed that this works fine on ubuntu-latest, but it may not work properly on other OS due to differences in grep options.

 - name: Fail if cfn_nag scan contains failures, warnings
   # sum cfn_nag failures, warnigns and return it as exit code
   run: |
     exit `grep -E '^(Failures|Warnings)' cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

codequokka added a commit to codequokka/cfn_nag that referenced this issue Feb 6, 2022
@codequokka
Set pipefail option (Fixes stelligent#582)
c192df0 
- To avoid the pipe swallows the exit code of the cfn_nag_scan command
@chasechow7
Copy link

My grep is having trouble finding cfn_nag.out. Do I need to navigate to a particular directory to find it? My git action currently looks like the following:

      - uses: stelligent/cfn_nag@master
        with:
          input_path: source/main/cdk.out/MainStack.template.json

      - name: Fail if cfn_nag scan contains failures
        # sum cfn_nag failures and return it as exit code
        run: |
          exit `grep Failures cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

At the top of our pipeline workflow.yml file we've set our working directory to ./source

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@codequokka @marcus-vw @andrewlytle @chasechow7