Fail Policies

When running in the command line, Sandworm can be configured to fail by exiting with code 1 when identifying specific issue types and/or severities. This makes it easy to integrate Sandworm as a part of your CI or Git hook flow.

To provide fail conditions, use the --fail-on command-line option, or the audit.failOn field in the .sandworm.config.json configuration file. You should provide an array of string conditions. Each condition has a required type and a required severity, joined by a dot. Possible types are *, root, dependencies, license, and meta. Possible severities are *, critical, high, moderate, and low. Using these, you can construct fail conditions like:

  • *.* - fail on any issue;

  • dependencies.* - fail on any vulnerability identified with the app dependencies;

  • root.* - fail on any vulnerability identified with the app itself;

  • *.critical - fail on any critical severity issue.

For example, to fail on any critical or high severity issues:

sandworm-audit --fail-on='["*.critical", "*.high"]'

No fail conditions are set by default.

Sandworm will also exit with code 1 if it encounters any errors that potentially alter the audit result.

Last updated