Skip to main content

Failing pipelines by severity in STO

You can set up your pipelines to fail automatically if a scan step detects any issues with a specified severity or higher. This is good practice for all integrated pipelines because it ensures that the pipeline doesn't build and publish updates with serious vulnerabilities.

Basic workflow: Fail on Severity

Every Security step has a Fail on Severity setting. If the scan finds any vulnerability with the specified severity level or higher, the pipeline fails automatically. You can specify one of the following:

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
  • INFO
  • NONE — Do not fail on severity

The YAML definition looks like this: fail_on_severity : critical # | high | medium | low | info | none

note

fail_on_severity is a "brute-force" approach to stopping your pipelines. As soon as a scan step detects a blocking issue, the pipeline stops and does not retain output variables or any other security-test data. For this reason, you might want to stop your pipelines using policies as described below.

Advanced workflow: Use Policy as Code to stop pipelines and notify users

You can implement robust failure-handling mechanisms using Harness Policy as Code. Using policies to stop pipelines has the following advantages:

  • You can define one set of policies based on your organization's requirements and then enforce these policies across all pipelines. This allows for centralized enforcement.

  • You can define advanced policies such as "The target can't have any critical or high-severity issues, or any medium-severity issues that aren't in the target's baseline."

  • Because the pipeline fails after (not during) the scan, you can view the test results in detail after the pipeline fails. You can include the scan results in automatic email or Slack notifications when a target violates specific policies.

For an example workflow, go to Stop pipelines automatically using governance policies.