When a user sets both fail-on and fix: true in the same GitHub Actions workflow, the scan step exits 1 on findings before the fix step runs, preventing fixes from being applied.
What happens
The Action has two separate steps: "Run CVE Lite CLI scan" (always runs) and "Apply security fixes" (runs when fix: true). If fail-on: high is also set, the scan step exits 1 when high findings exist, which set -euo pipefail propagates - aborting the job before the fix step runs.
The fail-on exit suppression added in this PR only applies when --fix and --fail-on are in the same CLI invocation. In the Action they are in separate steps, so suppression does not help.
Current state
The docs warn: "No fail-on - not appropriate in fix mode." This is advisory only. A user who copy-pastes their scan workflow and adds fix: true without removing fail-on will get a silent failure with no actionable error.
Proposed fix
Add a check at the start of the "Apply security fixes" step:
if [[ -n "${INPUT_FAIL_ON}" ]]; then
echo "::warning::fail-on is set but ignored in fix mode. Remove fail-on from your fix workflow to avoid unexpected job failures."
fi
And suppress the scan step exit code when fix: true is active so the fix step always runs regardless of findings.
When a user sets both
fail-onandfix: truein the same GitHub Actions workflow, the scan step exits 1 on findings before the fix step runs, preventing fixes from being applied.What happens
The Action has two separate steps: "Run CVE Lite CLI scan" (always runs) and "Apply security fixes" (runs when
fix: true). Iffail-on: highis also set, the scan step exits 1 when high findings exist, whichset -euo pipefailpropagates - aborting the job before the fix step runs.The
fail-onexit suppression added in this PR only applies when--fixand--fail-onare in the same CLI invocation. In the Action they are in separate steps, so suppression does not help.Current state
The docs warn: "No
fail-on- not appropriate in fix mode." This is advisory only. A user who copy-pastes their scan workflow and addsfix: truewithout removingfail-onwill get a silent failure with no actionable error.Proposed fix
Add a check at the start of the "Apply security fixes" step:
And suppress the scan step exit code when
fix: trueis active so the fix step always runs regardless of findings.