feat: Option to fail the build when scan results cannot be downloaded

README.md

@@ -7,15 +7,19 @@ configuration file][ignore-findings], and there are configurable thresholds on
 absolute numbers of allowed critical and high vulnerabilities.
 
 > [!WARNING]
-> This plugin will only fail the build if the thresholds are exceeded. Failing
-> to read configuration or to download scan results are not considered blocking
-> failures.
+> By default, this plugin will only fail the build if the thresholds are
+> exceeded. Failing to read configuration or to download scan results are only
+> considered blocking failures if `fail-build-on-plugin-failure` is explicitly
+> set to `true`.
 >
-> When configuring the plugin, check the plugin output to ensure that scan
-> results are being downloaded as expected.
+> When configuring the plugin, you can either:
+> - Check the plugin output to ensure that scan results are being downloaded as
+>   expected, or
+> - Set `fail-build-on-plugin-failure` to `true` to raise the visibility of
+>   problems with fetching scan results.
 >
-> If blocking on configuration or retrieval failures is desired for use case,
-> consider submitting a PR to allow this to be configured.
+> If blocking on configuration or retrieval failures is desired for your use
+> case, see the `fail-build-on-plugin-failure` configuration item below.
 
 ## Rendering
 
@@ -152,6 +156,18 @@ When supplied, this is used to title the report annotation in place of the
 repository name and tag. Useful sometimes when the repo name and tag make the
 reports harder to scan visually.
 
+### `fail-build-on-plugin-failure` (Optional, boolean. Default: false)
+
+By default, a failure to fetch the results of an image scan will not cause the
+build to fail, since scan access and availability can be flakey. The build will
+fail only if the plugin finds results and the results exceed `max-criticals` or
+`max-highs`.
+
+When set to `true`, the build will fail if the plugin fails to fetch scan
+results. This may results in builds failing even if the images have no
+vulnerabilities at all. Useful if you prefer to pass only with a confirmed good
+result.
+
 ## Requirements
 
 ### ECR Basic scanning only

plugin.yml

@@ -17,4 +17,6 @@ configuration:
       type: string
     image-label:
       type: string
+    fail-build-on-plugin-failure:
+      type: boolean
   additionalProperties: false

src/main.go

@@ -28,6 +28,7 @@ type Config struct {
 	ImageLabel                string `envconfig:"IMAGE_LABEL" split_words:"true"`
 	CriticalSeverityThreshold int32  `envconfig:"MAX_CRITICALS" split_words:"true"`
 	HighSeverityThreshold     int32  `envconfig:"MAX_HIGHS" split_words:"true"`
+	FailBuildOnPluginFailure  bool   `envconfig:"FAIL_BUILD_ON_PLUGIN_FAILURE" default:"false"`
 }
 
 func main() {
@@ -52,10 +53,11 @@ func main() {
 	if err != nil {
 		buildkite.LogFailuref("plugin execution failed: %s\n", err.Error())
 
-		// For this plugin, we don't want to block the build on most errors:
-		// scan access and availability can be quite flakey. For this reason, we
-		// wrap most issues in a non-fatal error type.
-		if runtimeerrors.IsFatal(err) {
+		// For this plugin, we don't want to block the build on most errors
+		// unless specifically configured to do so: scan access and availability
+		// can be quite flakey. For this reason, we wrap most issues in a
+		// non-fatal error type.
+		if pluginConfig.FailBuildOnPluginFailure || runtimeerrors.IsFatal(err) {
 			os.Exit(1)
 		} else {
 			// Attempt to annotate the build with the issue, but it's OK if the