Build Gate¶
The build gate turns SecureObs findings into a CI pass/fail decision.
The gate runs after scan and evaluates findings for the same
--pipeline-run-id.
flowchart LR
Scan["scan command"] --> Ingest["Findings ingested"]
Ingest --> Policy["Project gate policy"]
Policy --> Decision{"Blocking findings?"}
Decision -->|No| Pass["Exit 0"]
Decision -->|Yes| Block["Exit 3"]Run the gate
docker run --rm \
-e SECUREOBS_API_KEY="<key>" \
secureobs/scanner:v1 \
gate \
--project-id "<project-id>" \
--tenant-id "<tenant-id>" \
--pipeline-run-id "<unique-run-id>"
Policies¶
Configure the policy in the SecureObs project settings:
| Policy | Behavior |
|---|---|
| Block on critical only | Fails only when CRITICAL findings exist |
| Block on critical and high | Fails when HIGH or CRITICAL findings exist |
| Never block | Records findings but always passes |
Suppressed findings do not count toward the gate.
Exit Code Contract¶
| Exit code | Meaning |
|---|---|
0 |
Gate passed |
1 |
Invalid configuration or authentication |
2 |
API/transient error after retries |
3 |
Blocking findings detected |
Common Mistakes¶
- The scan and gate steps use different pipeline run IDs.
- The scan step failed authentication, so no findings were ingested.
- The project policy is set to
Never block. - All relevant findings are suppressed.