GitHub Action: How to fail job if cfn-nag throws errors?

stelligent / cfn_nag

Linting tool for CloudFormation templates

MIT License

1.25k stars 209 forks source link

GitHub Action: How to fail job if cfn-nag throws errors? #582

Open andrewlytle opened 2 years ago

andrewlytle commented 2 years ago

Currently when cfn_nag returns failures, my Github Action will continue happily. How can I make sure the job is cancelled if the cfn_nag returns problems?

marcus-vw commented 2 years ago

I think everybody should have the problem because the implementation of the Github Action looks like this:

cfn_nag_scan ${EXTRA_ARGS} --input-path "${INPUT_INPUT_PATH}" | tee "${INPUT_OUTPUT_PATH}"

The pipe will swallow the exit code of the cfn_nag_scan command. In case you would like to fail your Github Workflow if there are any failures you could use a dedicated step after the cfn nag scan:

...
  - uses: stelligent/cfn_nag@master
     with:
       input_path: templates

  - name: Fail if cfn_nag scan contains failures
     # sum cfn_nag failures and return it as exit code 
     run: |
          exit `grep Failures cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

In case you use the output_path parameter for cfn_nag, keep in mind to change the exitgrep Failures cfn_nag.out...` line

codequokka commented 2 years ago

A tweaked version of the marcus-vw's.

This version also counts Warnings. I have confirmed that this works fine on ubuntu-latest, but it may not work properly on other OS due to differences in grep options.

 - name: Fail if cfn_nag scan contains failures, warnings
   # sum cfn_nag failures, warnigns and return it as exit code
   run: |
     exit `grep -E '^(Failures|Warnings)' cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

chasechow7 commented 1 year ago

My grep is having trouble finding cfn_nag.out. Do I need to navigate to a particular directory to find it? My git action currently looks like the following:

      - uses: stelligent/cfn_nag@master
        with:
          input_path: source/main/cdk.out/MainStack.template.json

      - name: Fail if cfn_nag scan contains failures
        # sum cfn_nag failures and return it as exit code
        run: |
          exit `grep Failures cfn_nag.out | awk '{ SUM += $3} END { print SUM }'`

At the top of our pipeline workflow.yml file we've set our working directory to ./source