deep-security / smartcheck-scan-action

A GitHub Action for scanning using Deep Security Smart Check.
Apache License 2.0
15 stars 9 forks source link

How can I fail the Azure Pipeline when thresholds are exceeded? #8

Open cvdabbeele opened 4 years ago

cvdabbeele commented 4 years ago

Hi, Unlike on AWS CodePipeline, the ("my") Azure Pipeline does not fail if the findings of smartcheck-scan-action exceed the thresholds. Is there any way I can make the Azure Pipeline not go to the next job if the findings are higher than the thresholds? thanks, chris

OzNetNerd commented 4 years ago

I ran into a similar with AWS' CodePipeline & CodeBuild. The pipeline continues for debugging purposes.

I got the desired outcome by looking at the CODEBUILD_BUILD_SUCCEEDING environment variable.

Here's a snippet from the pipeline:

            post_build:
              commands:
                - bash -c "if [ /"$CODEBUILD_BUILD_SUCCEEDING/" == /"0/" ]; then exit 1; fi"
                - echo Build completed on `date`
                - echo Pushing the Docker image...
                - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG

Hopefully this helps with an Azure solution.

cvdabbeele commented 4 years ago

thank you @OzNetNerd, I tried it in Azure Pipelines, but is seems that that variable has no content, regardless of the scanresults chris

OzNetNerd commented 4 years ago

No worries @cvdabbeele.

CODEBUILD_BUILD_SUCCEEDING is an AWS environment variable. Perhaps the Azure equivalent is Agent.JobStatus (reference).

You can use agent variables as environment variables in your scripts and as parameters in your build tasks.

Agent.JobStatus: The status of the build.

* Canceled
* Failed
* Succeeded
* SucceededWithIssues (partially successful)