Fail on Severity threshold to fail STO pipelines based on the severity of detected issues
You can set up your pipelines to fail automatically if a scan step detects any issues with a specified severity or higher. This is good practice for all integrated pipelines because it ensures that the pipeline doesn't build and publish updates with serious vulnerabilities.
Basic workflow to fail pipelines by severity in STO
Every Custom Scan step has a Fail on Severity setting. If the scan finds any vulnerability with the specified severity level or higher, the pipeline fails automatically. You can specify one of the following:
CRITICAL
HIGH
MEDIUM
LOW
INFO
NONE
— Do not fail on severity
The YAML definition looks like this: fail_on_severity : critical # | high | medium | low | info | none
Use Policy as Code to fail pipelines and notify users in STO
You can implement failure-handling mechanisms using Harness Policy as Code. Using policies to stop pipelines has the following advantages:
-
You can define one set of policies based on your organization's requirements and then enforce these policies across all pipelines. This allows for centralized enforcement.
-
You can define advanced policies such as "The target can't have any critical or high-severity issues, or any medium-severity issues that aren't in the target's baseline."
-
Because the pipeline fails after (not during) the scan, you can view the test results in detail after the pipeline fails. You can include the scan results in automatic email or Slack notifications when a target violates specific policies.
For an example workflow, go to Stop pipelines automatically using governance policies.