Skip to content

chore#122

Closed
ronens88 wants to merge 1 commit into
mainfrom
fix/fail-on-prevented-risk
Closed

chore#122
ronens88 wants to merge 1 commit into
mainfrom
fix/fail-on-prevented-risk

Conversation

@ronens88
Copy link
Copy Markdown
Contributor

@ronens88 ronens88 commented May 18, 2026
edited
Loading

Superseded.

@ronens88 @claude
fail step when cimon prevent-mode detected a risk
e6cac07 
Adds a 'fail-on-detected-risk' input (default true). When set, the
post step parses the cimon agent stop output for 'detectedRisks' and
fails the step if anything other than 'NoRisk' is reported.

This closes a gap where a hardening rule fires and the SIGKILL is
issued, but the offending process has already exited before the
signal can land. cimon logs the rule trigger and 'Failed to kill
violating process (may have already exited)', but the workflow step
exits successfully and the job goes green — even though the rule
caught the attack.

With this change, the workflow surface accurately reflects what cimon
prevented in prevent mode, regardless of whether the kill landed in
time. Detect-mode behavior is unchanged (the check is skipped when
prevent: false).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ronens88
Copy link
Copy Markdown
Contributor Author

ronens88 commented May 18, 2026

Superseded.

@ronens88 ronens88 closed this May 18, 2026
@ronens88 ronens88 changed the title fail step when cimon prevent-mode detected a risk chore May 18, 2026
@ronens88 ronens88 deleted the fix/fail-on-prevented-risk branch May 18, 2026 09:29
@CycodeLabs CycodeLabs locked as resolved and limited conversation to collaborators May 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ronens88