Checkov's SoftFail not documented, working, and ignored by MSDO

[ncook-hxgn]

I've got "SoftFail": true in the MSDO config/.gdnconfig for my pipeline/repo,

and this does influence the commandline MSDO generates:

/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.497/tools/dist/checkov --directory /home/vsts/work/1/s/vmss --output sarif --quiet --soft-fail --enable-secret-scan-all-files --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif

Checkov finds some errors, but returns 0 as instructed by soft fail being enabled.

    Tool run time: 11.7852427 seconds
    ------------------------------------------------------------------------------
    Checkov completed with exit code 0
    ------------------------------------------------------------------------------

The problem is that MSDO breaks my build anyway, because it's scanning for errors, and seems be be ignoring exit codes?

##[error]BreakException: Guardian detected one or more breaking results.

##[error]MSDO CLI exited with an error exit code: 8

Could MSDO be so kind as to respect the exit codes that I've carefully configured for this tool?

[DimaBir]

Hi @ncook-hxgn, thanks for the detailed writeup — the command output and logs made it easy to see exactly what's happening.

The short version is that SoftFail and the build break are two separate mechanisms, and SoftFail only affects the first one:

• SoftFail: true in your .gdnconfig controls Checkov's own exit code. As you saw, MSDO passes --soft-fail through and Checkov exits 0. That part is working as intended.
• Whether the pipeline fails is decided separately by MSDO, not by the individual tool's exit code. MSDO evaluates the SARIF results against its policy and raises BreakException (exit 8) when it finds breaking results. --soft-fail changes Checkov's exit code but doesn't remove the findings from the SARIF, so MSDO still sees them and breaks. That's why it looks like your exit code is being ignored — MSDO is intentionally not relying on it.

The knob you actually want is the break input on the task, not the tool config. Setting it to false lets the scan run and publish findings without failing the step:

- task: MicrosoftSecurityDevOps@1
  inputs:
    break: false

break defaults to false, so if your build is failing on exit 8 you most likely have it set to true somewhere — happy to take a look if you can share the task block.

On your first point, you're right that this interaction isn't documented, and that's a fair gap — the relationship between a tool's SoftFail and the task's break behavior should be spelled out. I've tagged this as a docs item so we track it.

Let me know if switching break to false gets you what you're after.