When running in the command line, Sandworm can be configured to fail by exiting with code 1 when identifying specific issue types and/or severities. This makes it easy to integrate Sandworm as a part of your CI or Git hook flow.
To provide fail conditions, use the
--fail-oncommand-line option, or the
audit.failOnfield in the
.sandworm.config.jsonconfiguration file. You should provide an array of string conditions. Each condition has a required type and a required severity, joined by a dot. Possible types are
meta. Possible severities are
low. Using these, you can construct fail conditions like:
*.*- fail on any issue;
dependencies.*- fail on any vulnerability identified with the app dependencies;
root.*- fail on any vulnerability identified with the app itself;
*.critical- fail on any critical severity issue.
For example, to fail on any critical or high severity issues:
sandworm-audit --fail-on='["*.critical", "*.high"]'
No fail conditions are set by default.
Sandworm will also exit with code 1 if it encounters any errors that potentially alter the audit result.