Dependency Scanning needs to fail pipeline based on thresholds

Dependency Scanning needs to fail pipeline based on thresholds.

I would like to be able to fail my build job when a certain number of CRIT, HIGH vulns have been detected by dependency scanning:

  • If there are >0 CRIT or high vulnerabilities detected
  • Also if >= 5 MEDIUM
  • Using
  • I have tried updating my .gitlab-ci.yml file to look like :
  - template: Dependency-Scanning.gitlab-ci.yml
  allow_failure: false

Although that one in particular fails because I need to supply something to the script: line (a string) however I only put that in because it’s not optional. What I really want to do is override the allow_failure flag, as it’s true in the template.

I think what I really need to do is merge the YAML, but that would only get me half way there.

The most important part is to fail the job based on the number of CRIT/ HIGH / MEDIUM vulns discovered, so that when the CI job gets to the test environment it’s not allowed through the pipeline until these are all fixed.

Separately this could also cause a problem as many are marked as “unknown” severity, but that’s a different issue.