Summary
The composite GitHub Action writes scanner stdout+stderr into scan-results.json (> ... 2>&1) and then treats JSON parse failures as zero findings.
If scanner logs or warnings are present, the JSON parse can fail and the action proceeds with:
ISSUES_COUNT=0CRITICAL_COUNT=0WARNING_COUNT=0
This is fail-open behavior for a security gate.
Affected File
.github/actions/security-scan/action.yml
Reproduction
- Run the composite action where scanner emits stderr output before/with JSON.
- Observe
scan-results.json is not valid JSON.
- Action falls back to zero counts instead of failing.
Expected
- JSON parse failure should fail the scan/job (fail-closed), not report zero findings.
- Keep structured scanner output parsing robust to stderr noise.
Suggested Fix
- Capture scanner JSON from stdout only.
- Keep logs on stderr.
- If JSON parsing fails, set explicit failure and exit non-zero.
Acceptance Criteria
- Invalid/malformed scanner output causes job failure.
- Valid output still produces correct
issues_count, critical_count, warning_count.
Summary
The composite GitHub Action writes scanner stdout+stderr into
scan-results.json(> ... 2>&1) and then treats JSON parse failures as zero findings.If scanner logs or warnings are present, the JSON parse can fail and the action proceeds with:
ISSUES_COUNT=0CRITICAL_COUNT=0WARNING_COUNT=0This is fail-open behavior for a security gate.
Affected File
.github/actions/security-scan/action.ymlReproduction
scan-results.jsonis not valid JSON.Expected
Suggested Fix
Acceptance Criteria
issues_count,critical_count,warning_count.