| Field | Value |
|---|---|
| Category | CICD-SEC-10 |
| Severity | LOW |
| OWASP | CICD-SEC-10: Insufficient Logging and Visibility |
| Auto-fix | ✓ (what it does) |
What the check does
Flags any job that declarescontinue-on-error: true at the job level (not the step level). Only a literal true (or "true") is flagged — values driven by an expression (${{ ... }}) are intentionally dynamic and left alone.
Step-level continue-on-error: true is fine: it scopes failure-suppression to one step, the job still fails if other steps fail, and the run’s conclusion correctly reflects the failure.
Why it matters
continue-on-error: true at the job level changes the job’s reported conclusion from failure to success whenever its steps fail. The downstream consequences are not just cosmetic:
- Branch-protection required checks see green and let the merge through.
if: success()andneeds:dependents treat the job as having passed, so downstream jobs run on broken state.- Audit dashboards (GitHub’s Actions overview, status badges, third-party CI heat-maps) record the run as passing — the failure leaves no breadcrumb anyone is monitoring.
- Incident review later sees a green run and has nothing to correlate against the actual breakage.
Vulnerable example
Safe alternatives
If a single step is expected to fail, scope it there:Auto-fix
--fix removes the job-level continue-on-error: true entry. The job’s existing steps are untouched. If a specific step inside the job legitimately needs to absorb a failure, move continue-on-error: true to that step before fixing — the rule only flags the job-level form.