fix(cli): --exit-code no longer fails on the URL_SCAN_LIMITED INFO note#34
Open
dmchaledev wants to merge 1 commit into
Open
fix(cli): --exit-code no longer fails on the URL_SCAN_LIMITED INFO note#34dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Scanning a secure https:// / wss:// endpoint with --exit-code printed
PASSED but exited 1: the URL_SCAN_LIMITED informational note counts as a
"finding", so `exitCode && report.findings.length > 0` was always true in
URL mode. This failed CI on every secure endpoint and contradicted the
note's own documented contract ("Not a vulnerability — INFO severity,
never fails a gate").
Extract the exit decision into a pure, testable shouldExitNonZero()
(mirroring the args.ts split) that ignores INFO-severity findings and
trips the --exit-code gate only on actionable (LOW+) findings. report.passed
is unchanged. Add exit.test.ts covering the regression and the surrounding cases.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01WMBVioQJ2owPKgCE6aS865
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scanning a secure
https:///wss://endpoint with--exit-codeprintsPASSEDbut exits1— a false CI failure on the headline URL-scan path. This contradicts the explicit contract on the note itself insrc/types.ts("Not a vulnerability — INFO severity, never fails a gate") and the scanner test named "the URL_SCAN_LIMITED note is INFO severity and never fails the gate".Root cause
URL mode always emits a
URL_SCAN_LIMITEDINFO note. The CLI exit decision insrc/cli.tscounted it as a finding:So for a secure endpoint (no actionable findings, only the INFO note):
report.passed === true, butexitCode && findings.length > 0istrue→ exit1.Repro (built CLI, before fix)
MISSING_TLS(http://) andINSECURE_TRANSPORT(ws://) are unaffected — they are real LOW+ findings and should keep failing the gate.Fix
Extract the exit decision into a pure, side-effect-free
shouldExitNonZero()in a newsrc/exit.ts(mirroring the existingargs.tssplit that keeps testable logic out of theprocess.exit-calling entry point). It ignores INFO-severity findings and trips the--exit-codegate only on actionable (LOW+) findings.report.passedand the--fail-on/ score logic are unchanged.Verification
npm run lint✅npm run build✅npm test✅ — 124 passing (6 new cases insrc/__tests__/exit.test.ts).Acceptance criteria
--exit-codeon a securehttps:///wss://endpoint exits0, matching the report'sPASSED.--exit-codestill exits1forhttp://(MISSING_TLS) andws://(INSECURE_TRANSPORT).--exit-codestill exits1when any actionable finding accompanies the INFO note.🤖 Generated with Claude Code
https://claude.ai/code/session_01WMBVioQJ2owPKgCE6aS865
Generated by Claude Code