Add option to not fail on vulnerability being found for github action (…

…google#732) Add an option for the github action reporter to not return a failing code when vulnerabilities are found. This can be used to switch the osv-scanner action into a more "informative" mode rather than forcing strictly 0 vulnerabilities. The success/failure of a workflow can now indicate whether the workflow itself completely successfully and uploaded scan results, rather than showing the contents of the results. A followup PR will be created adding the option to the workflows once this is merged.
cuixq · Jan 5, 2024 · 2c9533f · 2c9533f
1 parent ff7f2d6
commit 2c9533f
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/cmd/osv-reporter/main.go b/cmd/osv-reporter/main.go
@@ -76,6 +76,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				Name:  "gh-annotations",
 				Usage: "prints github action annotations",
 			},
+			&cli.BoolFlag{
+				Name:        "fail-on-vuln",
+				Usage:       "whether to return 1 when vulnerabilities are found",
+				DefaultText: "true",
+			},
 		},
 		Action: func(context *cli.Context) error {
 			var termWidth int
@@ -160,9 +165,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 				}
 			}
 
+			// Default to true, only false when explicitly set to false
+			failOnVuln := !context.IsSet("fail-on-vuln") || context.Bool("fail-on-vuln")
+
 			// if vulnerability exists it should return error
-			if len(diffVulns.Results) > 0 {
-				// Otherwise return OnlyUncalledVulnerabilitiesFoundErr
+			if len(diffVulns.Results) > 0 && failOnVuln {
 				return osvscanner.VulnerabilitiesFoundErr
 			}