Fail Policies

When running in the command line, Sandworm can be configured to fail by exiting with code 1 when identifying specific issue types and/or severities. This makes it easy to integrate Sandworm as a part of your CI or Git hook flow.
To provide fail conditions, use the --fail-on command-line option, or the audit.failOn field in the .sandworm.config.json configuration file. You should provide an array of string conditions. Each condition has a required type and a required severity, joined by a dot. Possible types are *, root, dependencies, license, and meta. Possible severities are *, critical, high, moderate, and low. Using these, you can construct fail conditions like:
  • *.* - fail on any issue;
  • dependencies.* - fail on any vulnerability identified with the app dependencies;
  • root.* - fail on any vulnerability identified with the app itself;
  • *.critical - fail on any critical severity issue.
For example, to fail on any critical or high severity issues:
sandworm-audit --fail-on='["*.critical", "*.high"]'
No fail conditions are set by default.
Sandworm will also exit with code 1 if it encounters any errors that potentially alter the audit result.