fix: semgrep reports all findings, fails only on ERROR severity

scottschreckengaust · scottschreckengaust · commit 30615fd61e8d · 2026-04-08T17:25:10.000Z
Match the bandit pattern: report all severity levels in SARIF for
GitHub Code Scanning visibility, but only fail the build when
ERROR-level findings exist.
diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml
@@ -114,7 +114,6 @@ jobs:
             --sarif-output semgrep-report_sarif.json $BASELINE_ARGS
           SEMGREP_EXIT=$?
           set -e
-          echo "exit_code=$SEMGREP_EXIT" >> "$GITHUB_OUTPUT"
           exit 0
       - name: Fix SARIF for GitHub compatibility
         continue-on-error: true
@@ -148,6 +147,16 @@ jobs:
               else . end
             ]
           ' semgrep-report_sarif.json > semgrep.sarif.tmp.json && mv semgrep.sarif.tmp.json semgrep-report_sarif.json
+      - name: Check for ERROR severity findings
+        id: semgrep
+        run: |
+          # Fail only if ERROR severity findings exist (level=error in SARIF)
+          HIGH_COUNT=$(jq '[.runs[0].results[] | select(.level == "error")] | length' semgrep-report_sarif.json 2>/dev/null || echo 0)
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "exit_code=1" >> "$GITHUB_OUTPUT"
+          else
+            echo "exit_code=0" >> "$GITHUB_OUTPUT"
+          fi
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: semgrep.sarif
