search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
259 stars 58 forks source link

Exit with a non-zero return code when finding #2841

Open de-jcup opened 5 months ago

de-jcup commented 5 months ago

Discussed in https://github.com/mercedes-benz/sechub/discussions/2827

Originally posted by **fty4** January 17, 2024 Hi there, I was wondering why the SecHub scan will exit with a non-zero return code when a RED finding was found. See this quote from the [documentation](https://mercedes-benz.github.io/sechub/latest/sechub-client.html): > The SecHub client will exit with a non-zero return code per default only at a RED traffic light, but you can also configure the client to do this on color YELLOW. IMHO this should not be the case. The scan itself was successfully and therefore the return code should also be successfully. When a wrong config was passed a non-zero return code would be fine but not if the report of the scan has a finding. Even if the GH action scan will be continued ([`fail-job-with-findings`](https://github.com/mercedes-benz/sechub/blob/d2c7ba0c5853422d32c2641a54c7111db8111f42/github-actions/scan/action.yml#L40-L42) input) an error will appear in the workflow log: ```bash RED alert - security vulnerabilities identified (critical or high) Error: Exit code: 1 ``` This should be prevented because the scan itself was successfully. ## Code https://github.com/mercedes-benz/sechub/blob/d2c7ba0c5853422d32c2641a54c7111db8111f42/github-actions/scan/src/main.ts#L60-L62 https://github.com/mercedes-benz/sechub/blob/d2c7ba0c5853422d32c2641a54c7111db8111f42/github-actions/shared/src/log-helper.ts#L9-L16
de-jcup commented 5 months ago

At the beginning of SecHub we made a survey and interviews. Most be people wanted to have a breaking build (synchronous) some people wanted an asynchronous scan.

SecHub can do both ways: asynchronous and synchronous.

To have a breaking build because of RED findings at synchronnous we used the exit code 1. If there appears an unexpected error, we have dedicated, other exit codes.

Asynchronous scan shall NOT break the build - no matter if there is a RED finding or not . It just triggers a scan and you can later check the result.

But the GH action for SecHub does currently only support synchronous scanning.

fty4 commented 5 months ago

The problem I am facing is that the action throws errors which is not the desired state:

image

Wouldn't that be a good configuration option to have an option when the exit code will not be zero?

Please use mention next time if you move an discussion or similar - was really confused why the discussion tab was missing.