Dependency Scanning needs to fail pipeline based on thresholds.
I would like to be able to fail my build job when a certain number of CRIT, HIGH vulns have been detected by dependency scanning:
- If there are >0 CRIT or high vulnerabilities detected
- Also if >= 5 MEDIUM
- Using gitlab.com
- I have tried updating my
.gitlab-ci.ymlfile to look like :
include:
- template: Dependency-Scanning.gitlab-ci.yml
dependency_scanning:
script:
allow_failure: false
Although that one in particular fails because I need to supply something to the script: line (a string) however I only put that in because it’s not optional. What I really want to do is override the allow_failure flag, as it’s true in the template.
I think what I really need to do is merge the YAML, but that would only get me half way there.
The most important part is to fail the job based on the number of CRIT/ HIGH / MEDIUM vulns discovered, so that when the CI job gets to the test environment it’s not allowed through the pipeline until these are all fixed.
Separately this could also cause a problem as many are marked as “unknown” severity, but that’s a different issue.