From 7c5840f32504b6285fdca1484fe033772ccc0266 Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Thu, 19 Feb 2026 11:57:47 +0200 Subject: [PATCH 1/5] fix: support empty fail-on for informational mode Change the default fail-on value from 'CRITICAL' to empty string, allowing workflows to run scans in informational mode without failing on findings. When fail-on is empty: - The scan runs and produces results normally - Results are uploaded to GitHub Code Scanning - The workflow does NOT fail regardless of findings This fixes an issue where passing fail-on: '' would be replaced by the default 'CRITICAL' due to GitHub Actions input substitution. Workflows that want to fail on findings should now explicitly set: fail-on: 'CRITICAL' or: fail-on: 'HIGH,CRITICAL' --- .github/workflows/reusable-security-scan.yml | 10 ++++++++-- action.yml | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-security-scan.yml b/.github/workflows/reusable-security-scan.yml index 1dfa33c..9f2f141 100644 --- a/.github/workflows/reusable-security-scan.yml +++ b/.github/workflows/reusable-security-scan.yml @@ -12,9 +12,9 @@ on: type: string default: '.' fail-on: - description: 'Comma-separated severity levels to fail on (e.g., HIGH,CRITICAL)' + description: 'Comma-separated severity levels to fail on (e.g., HIGH,CRITICAL). Empty string for informational mode (never fail).' type: string - default: 'CRITICAL' + default: '' pr-comment: description: 'Post scan results as PR comment' type: boolean @@ -273,6 +273,12 @@ jobs: RESULTS_COUNT: ${{ steps.scan_analysis.outputs.results_count }} FAIL_ON: ${{ inputs.fail-on }} run: | + # Informational mode: if fail-on is empty, never fail on findings + if [ -z "$FAIL_ON" ]; then + echo "Scan completed in informational mode (no fail-on threshold). Found ${RESULTS_COUNT:-0} issues." + exit 0 + fi + if [ "$SCAN_OUTCOME" = "failure" ] || [ "$SCAN_OUTCOME" = "cancelled" ]; then if [ "$HAS_RESULTS" = "false" ] || [ "${RESULTS_COUNT:-0}" = "0" ]; then # Scan failed without producing results - likely timeout or API error diff --git a/action.yml b/action.yml index bc5c803..beb24f1 100644 --- a/action.yml +++ b/action.yml @@ -25,9 +25,9 @@ inputs: required: false default: 'sarif' fail-on: - description: 'Comma-separated severity levels to fail on (e.g., HIGH,CRITICAL)' + description: 'Comma-separated severity levels to fail on (e.g., HIGH,CRITICAL). Empty string for informational mode (never fail).' required: false - default: 'CRITICAL' + default: '' exit-code: description: 'Exit code to return when build fails' required: false From 3bb04a79732e629d8d3873f9f62bb141b6b1ecdb Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Thu, 19 Feb 2026 12:36:25 +0200 Subject: [PATCH 2/5] fix(lint): exclude false positive gosec rules for v2.10 Golangci-lint v2.10 introduces stricter gosec rules that produce false positives for this codebase: - G101: Test files with example credentials (intentional) - G115: uintptr->int for terminal detection (standard Go pattern) - G117: ClientSecret field names (legitimate config struct fields) - G204: docker/podman exec (image names are validated) - G704/G705: SSRF/XSS taint (admin-configured URLs, not user input) - QF1012: staticcheck style suggestion (not a bug) --- .golangci.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index 6a98a9f..ab95cb9 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -13,3 +13,23 @@ linters: - gosec - goconst - misspell + +linters-settings: + gosec: + excludes: + # G101: Hardcoded credentials - false positives in test files with example data + - G101 + # G115: Integer overflow uintptr->int - standard Go pattern for terminal/fd detection + - G115 + # G117: Struct fields matching secret patterns - legitimate config struct fields + - G117 + # G204: Subprocess with variable - we validate image names before exec + - G204 + # G704: SSRF via taint - URLs are admin-configured endpoints, not user input + - G704 + # G705: XSS via taint - output is to stderr/terminal, not HTML + - G705 + staticcheck: + checks: + - "all" + - "-QF1012" # WriteString(fmt.Sprintf) style suggestion - not a bug From 36ea1cf94bcf6c6d86ec153d175b892cdc9f4c8e Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Thu, 19 Feb 2026 12:45:22 +0200 Subject: [PATCH 3/5] fix(ci): pin golangci-lint to v2.7.2 for consistent linting Pin the golangci-lint version in CI to match local development version (v2.7.2) to avoid schema validation errors from newer rule IDs not recognized in the config schema. Also fixes gosec exclusions: - G101: Test file example credentials (false positive) - G115: uintptr->int for terminal detection (standard pattern) - G204: docker/podman exec (validated image names) --- .github/workflows/ci.yml | 2 +- .golangci.yml | 33 +++++++++++++-------------------- 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3950250..e3f698a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,7 +82,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v9 with: - # Version omitted to use action's default (tracks Go compatibility) + version: v2.7.2 args: --timeout=5m # Posts a sticky coverage comment to PRs (updates in place, details collapsed) diff --git a/.golangci.yml b/.golangci.yml index ab95cb9..5167555 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -13,23 +13,16 @@ linters: - gosec - goconst - misspell - -linters-settings: - gosec: - excludes: - # G101: Hardcoded credentials - false positives in test files with example data - - G101 - # G115: Integer overflow uintptr->int - standard Go pattern for terminal/fd detection - - G115 - # G117: Struct fields matching secret patterns - legitimate config struct fields - - G117 - # G204: Subprocess with variable - we validate image names before exec - - G204 - # G704: SSRF via taint - URLs are admin-configured endpoints, not user input - - G704 - # G705: XSS via taint - output is to stderr/terminal, not HTML - - G705 - staticcheck: - checks: - - "all" - - "-QF1012" # WriteString(fmt.Sprintf) style suggestion - not a bug + settings: + gosec: + excludes: + # G101: Hardcoded credentials - false positives in test files with example data + - G101 + # G115: Integer overflow uintptr->int - standard Go pattern for terminal/fd detection + - G115 + # G204: Subprocess with variable - we validate image names before exec + - G204 + staticcheck: + checks: + - "all" + - "-QF1012" # WriteString(fmt.Sprintf) style suggestion - not a bug From 89df2ba6d4064c41492210f18bf0c142ef195c6d Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Thu, 19 Feb 2026 14:30:49 +0200 Subject: [PATCH 4/5] fix(ci): update golangci-lint to v2.10.1 for Go 1.26 support golangci-lint v2.7.2 was built with Go 1.25 and panics when analyzing code with Go 1.26 (which `go-version: stable` now resolves to). --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3f698a..1a02095 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,7 +82,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v9 with: - version: v2.7.2 + version: v2.10.1 args: --timeout=5m # Posts a sticky coverage comment to PRs (updates in place, details collapsed) From 16e69a5c9d7a615e98e01eca66ff08f142da1093 Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Thu, 19 Feb 2026 14:35:26 +0200 Subject: [PATCH 5/5] fix: address PR review feedback - reusable-security-scan.yml: Check operational failures (timeout/API errors) before applying informational mode early-exit, ensuring scan execution problems are never masked - .golangci.yml: Remove global gosec exclusions (G101/G115/G204) since the codebase already uses targeted #nosec and //nolint:gosec annotations at specific call sites --- .github/workflows/reusable-security-scan.yml | 27 ++++++++++++-------- .golangci.yml | 8 ------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/.github/workflows/reusable-security-scan.yml b/.github/workflows/reusable-security-scan.yml index 9f2f141..04dcf74 100644 --- a/.github/workflows/reusable-security-scan.yml +++ b/.github/workflows/reusable-security-scan.yml @@ -273,22 +273,29 @@ jobs: RESULTS_COUNT: ${{ steps.scan_analysis.outputs.results_count }} FAIL_ON: ${{ inputs.fail-on }} run: | - # Informational mode: if fail-on is empty, never fail on findings - if [ -z "$FAIL_ON" ]; then - echo "Scan completed in informational mode (no fail-on threshold). Found ${RESULTS_COUNT:-0} issues." - exit 0 - fi - + # First, check for operational failures (timeout, API errors, etc.) + # These should always fail regardless of informational mode if [ "$SCAN_OUTCOME" = "failure" ] || [ "$SCAN_OUTCOME" = "cancelled" ]; then if [ "$HAS_RESULTS" = "false" ] || [ "${RESULTS_COUNT:-0}" = "0" ]; then # Scan failed without producing results - likely timeout or API error echo "::error::Armis scan failed (timeout, API error, or other issue). Check the 'Run Armis Security Scan' step for details." exit 1 - else - # Scan completed but found vulnerabilities above threshold - echo "::error::Security vulnerabilities detected by Armis (threshold: $FAIL_ON). Found $RESULTS_COUNT issues." - exit 1 fi + # Scan produced results but step marked as failure - findings exceeded threshold + # Fall through to threshold check below + fi + + # Informational mode: if fail-on is empty, never fail on findings + # (but operational failures above are still caught) + if [ -z "$FAIL_ON" ]; then + echo "Scan completed in informational mode (no fail-on threshold). Found ${RESULTS_COUNT:-0} issues." + exit 0 + fi + + # Check if findings exceeded threshold + if [ "$SCAN_OUTCOME" = "failure" ]; then + echo "::error::Security vulnerabilities detected by Armis (threshold: $FAIL_ON). Found $RESULTS_COUNT issues." + exit 1 fi echo "Scan completed successfully with no issues above threshold." diff --git a/.golangci.yml b/.golangci.yml index 5167555..3497db6 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -14,14 +14,6 @@ linters: - goconst - misspell settings: - gosec: - excludes: - # G101: Hardcoded credentials - false positives in test files with example data - - G101 - # G115: Integer overflow uintptr->int - standard Go pattern for terminal/fd detection - - G115 - # G204: Subprocess with variable - we validate image names before exec - - G204 staticcheck: checks: - "all"