Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Option to fail the build when scan results cannot be downloaded #50

Merged
merged 2 commits into from
Jun 20, 2024
Merged

feat: Option to fail the build when scan results cannot be downloaded #50

merged 2 commits into from
Jun 20, 2024

Conversation

lucaswilric
Copy link
Contributor

@lucaswilric lucaswilric commented Apr 30, 2024
edited
Loading

This change adds a boolean configuration item fail-build-on-plugin-failure. It allows users to treat all errors in the plugin as build failures, as suggested in the README.

fail-build-on-plugin-failure is false by default, preserving current behaviour.

When fail-build-on-plugin-failure is set to true, any error returned from runCommand will be treated as fatal.

Note: Since the load-bearing part of this change is in main.go, I was not quite sure how you would prefer to have it tested. I'd love some feedback on that in particular :)

@lucaswilric lucaswilric marked this pull request as ready for review April 30, 2024 07:42
@lucaswilric lucaswilric mentioned this pull request May 2, 2024
Merged
3 tasks
@github-actions GitHub Actions
Copy link

github-actions bot commented May 4, 2024

Package Line Rate Health
github.com/cultureamp/ecrscanresults/finding 95%
github.com/cultureamp/ecrscanresults/findingconfig 70%
github.com/cultureamp/ecrscanresults/registry 11%
github.com/cultureamp/ecrscanresults/report 86%
github.com/cultureamp/ecrscanresults/runtimeerrors 83%
Summary 66% (444 / 674)

@lucaswilric lucaswilric mentioned this pull request May 13, 2024
Closed
@jamestelfer
Copy link
Member

@lucaswilric Thanks for this PR. I apologise that I haven't seen this till now: that's on me.

I will have a look and respond: please let me know if you're still happy to work on this!

@jamestelfer jamestelfer self-requested a review June 18, 2024 01:19
@lucaswilric
Copy link
Contributor Author

Hi @jamestelfer! I'm still happy to contribute on this one. I have some AFK time coming up, so it's possible one of my teammates may pitch in instead.

Since I posted this PR, my team has thought it'd be helpful to use separate exit codes for "couldn't get results" and "got results and they're bad". This would provide a nice hook into Buildkite's soft_fail functionality. What do you think?

@jamestelfer
Copy link
Member

I'm still happy to contribute on this one.

Thank you!

be helpful to use separate exit codes for "couldn't get results" and "got results and they're bad".

Sounds good to me!

This plugin runs in a post-checkout hook: we're generally using it as a follow up to a docker-compose plugin definition that pushes the container. If we retry the whole step, it will republish the image. However: it's definitely possible to run this plugin with a no-op script on the step so it runs standalone.

Depending on the use-case this would make sense, so I'm happy to see this go in (with the caveats documented).

Main reasons for failures in my experience are:

  • can't process this image at all
  • didn't get a report in time (timeout waiting for the status to resolve)
  • image reference was wrong
  • AWS credentials timed out
  • IAM permissions borked

For the "didn't get a report in time" issue, an ability to extend the timeout could be given.

How are you using the plugin? Would retries help for your failure scenarios?

I was not quite sure how you would prefer to have it tested.

(from the PR description) Gotta say, I'm not sure how I'd like it tested either. I've toyed with the idea of factoring it around to enable this, but I'm really happy to listen to something that sounds simpler.

jamestelfer
jamestelfer approved these changes Jun 18, 2024
View reviewed changes
Copy link
Member

@jamestelfer jamestelfer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

Testing main is currently not really there: I'd be happy for you to suggest what you'd like to see, either in this or another PR.

The exit_code change would also be OK: feel free to use another PR if you'd like to. The current one has hung around for ages so it would be good to get this one moving.

README.md
> If blocking on configuration or retrieval failures is desired for use case,
> consider submitting a PR to allow this to be configured.
> If blocking on configuration or retrieval failures is desired for your use
> case, see the `fail-build-on-plugin-failure` configuration item below.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it would be nice for this to link, but not essential

@jamestelfer jamestelfer merged commit 8f46c89 into cultureamp:main Jun 20, 2024
2 checks passed
@amu-g amu-g mentioned this pull request Jun 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamestelfer jamestelfer jamestelfer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lucaswilric @jamestelfer