PR #6: Exit Code Standardization & --fail-on Flag#396
Merged
Conversation
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #396 +/- ##
==========================================
- Coverage 79.76% 79.76% -0.01%
==========================================
Files 78 79 +1
Lines 7799 7846 +47
==========================================
+ Hits 6221 6258 +37
- Misses 1333 1343 +10
Partials 245 245 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This was referenced Nov 22, 2025
Owner
Author
Owner
Author
Merge activity
|
shivasurya
changed the base branch from
shiva/output-sarif-formatter
to
graphite-base/396
Implement standardized exit codes for security scan results: - Exit 0: Success (no findings or no fail-on match) - Exit 1: Findings match fail-on severities - Exit 2: Configuration or execution errors Add core functionality: - DetermineExitCode() with error precedence handling - ParseFailOn() for comma-separated severity parsing - ValidateSeverities() with case-insensitive validation - InvalidSeverityError type for validation failures All functions support case-insensitive severity matching for: critical, high, medium, low, info. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add --fail-on flag to both scan and ci commands for controlling exit codes based on finding severities. Changes to scan command: - Add --fail-on flag for severity-based exit control - Track scan errors with scanErrors boolean - Replace hardcoded exit(1) with DetermineExitCode() - Validate --fail-on severities at startup Changes to ci command: - Add --fail-on flag matching scan behavior - Track execution errors with hadErrors boolean - Remove per-format exit code logic - Centralize exit code determination after output formatting - Validate --fail-on severities at startup Both commands now: - Exit 0 by default regardless of findings - Exit 1 only when findings match --fail-on severities - Exit 2 on configuration/execution errors - Support case-insensitive severity validation Fixes bug where SARIF output always exited 0. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive integration tests verifying actual binary exit codes across different scenarios and commands. Test coverage: - Clean projects (exit 0) - Findings without --fail-on (exit 0) - Findings matching --fail-on (exit 1) - Findings not matching --fail-on (exit 0) - Invalid severities (exit via error) - Case-insensitive severity matching Tests for both scan and ci commands across all output formats (SARIF, JSON, CSV). Integration tests require: - INTEGRATION=1 environment variable - Pre-built binary: gradle buildGo - Test fixtures in test/fixtures/ All tests use context.WithTimeout for safety and proper cleanup. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
shivasurya
force-pushed
the
shiva/output-exit-codes
branch
from
a160faa to
8eda45b
Compare
shivasurya
added a commit
that referenced
this pull request
Nov 22, 2025
## Summary Final PR in the output standardization stack. Removes deprecated `query` and `analyze` commands and adds comprehensive documentation for all output formats, verbosity levels, and exit codes. ## Changes ### Deprecated Commands Removed - **`cmd/query.go`** - Removed entirely - **`cmd/query_test.go`** - Removed entirely - **`cmd/analyze.go`** - Removed entirely - **`main_test.go`** - Updated to remove references to deprecated commands **BREAKING CHANGE**: No backward compatibility provided per requirements. ### Documentation Updates #### README.md - **Usage Examples**: Scan and CI command examples - **Output Formats**: Text, JSON, CSV, SARIF examples with real output - **Verbosity Levels**: Table showing default/verbose/debug behavior - **Exit Codes**: Table and examples for exit code 0, 1, 2 #### docs/CLI.md (New) - **Command Reference**: Complete flag documentation for all commands - **Output Format Reference**: JSON schema, CSV columns, SARIF features - **Exit Code Reference**: Detailed exit code behavior and --fail-on syntax ### Verification Tests - **`cmd/command_cleanup_test.go`**: Integration tests verifying: - `query` command returns "unknown command" - `analyze` command returns "unknown command" - Help text no longer mentions removed commands ## Test Results All tests passing ✅ ```bash $ gradle testGo ok .../cmd 0.343s $ ./build/go/pathfinder query Error: unknown command "query" for "pathfinder" $ ./build/go/pathfinder analyze Error: unknown command "analyze" for "pathfinder" $ ./build/go/pathfinder --help | grep -E "(query|analyze)" # (no output - commands not shown) ``` ## Documentation Examples ### Scan Command ```bash pathfinder scan --rules rules/ --project /path/to/project pathfinder scan --rules rules/ --project . --verbose pathfinder scan --rules rules/ --project . --fail-on=critical,high ``` ### CI Command ```bash pathfinder ci --rules rules/ --project . --output json > results.json pathfinder ci --rules rules/ --project . --output sarif > results.sarif pathfinder ci --rules rules/ --project . --output csv --fail-on=critical ``` ### Exit Code Behavior ```bash # Default: always exit 0 pathfinder scan --rules rules/ --project . echo $? # 0 even with findings # Fail on critical or high pathfinder scan --rules rules/ --project . --fail-on=critical,high echo $? # 1 if critical/high found, 0 otherwise ``` ## Migration Notes ### Breaking Changes - **`query` command removed**: Use `scan` command instead - **`analyze` command removed**: Use `scan` or `ci` command instead - No migration path provided per requirements ### Non-Breaking - All existing `scan` and `ci` commands continue to work - Documentation is backwards compatible ## Checklist - [x] query command removed - [x] analyze command removed - [x] main_test.go updated - [x] Verification tests added - [x] README.md updated with comprehensive docs - [x] docs/CLI.md created - [x] All tests passing - [x] Linter passing - [x] Binary builds successfully - [x] Help text verified ## Stacked PRs This PR stacks on top of: - PR #6: Exit Code Standardization (#396) This is the **final PR** in the output standardization feature stack. ## Verification Commands removed successfully: ```bash $ ./build/go/pathfinder query Error: unknown command "query" for "pathfinder" $ ./build/go/pathfinder analyze Error: unknown command "analyze" for "pathfinder" ``` Valid commands work: ```bash $ ./build/go/pathfinder scan --help # Shows scan command help $ ./build/go/pathfinder ci --help # Shows ci command help ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements standardized exit codes and the
--fail-onflag for bothscanandcicommands, enabling selective CI/CD pipeline failures based on security finding severities.Changes
Core Exit Code Logic (
output/exit_code.go)ExitCodeSuccess (0): No findings or no --fail-on matchExitCodeFindings (1): Findings match --fail-on severitiesExitCodeError (2): Configuration or execution errorsCommand Integration
Bug Fixes
Testing
Unit Tests (
output/exit_code_test.go)DetermineExitCode()covering all exit scenariosParseFailOn()covering edge casesValidateSeverities()covering validationIntegration Tests (
cmd/exit_code_integration_test.go)INTEGRATION=1and pre-built binaryTest Results: All tests passing ✅
Examples
Migration Notes
Breaking Changes
--fail-onflag.--fail-on critical,highto maintain previous fail-on-findings behavior.Non-Breaking
--fail-oncontinue to work (exit 0)Checklist
Stacked PRs
This PR stacks on top of:
🤖 Generated with Claude Code