Enforcing in CI/CD
Gate without alert fatigue.
The whole point of IaC scanning is to gate delivery, and the pattern is the familiar one: scan on every pull request, block the merge on findings that matter, and surface results where developers already work. The nuance that makes or breaks it is what “matters” — gate hard on high/critical severity and on new findings (via a baseline), and report the rest, so the gate is meaningful without being a wall.
jobs:checkov:steps:- uses: bridgecrewio/checkov-action@v12with:directory: .soft_fail_on: LOW,MEDIUM # report, do not block# hard-fail on HIGH/CRITICAL and new findingsbaseline: .checkov.baselineoutput_format: sarif- uses: github/codeql-action/upload-sarif@v3 # findings in the PR Security tabwith: { sarif_file: results.sarif }
Beating alert fatigue
The failure mode of every scanning program is noise: too many findings, developers stop reading them, and eventually someone disables the gate. Counter it deliberately — baseline existing debt so only new issues block, tune severities so the gate reflects real risk, scope suppressions with reasons, and put remediation guidance in the finding. A scanner that blocks a merge on a critical, actionable issue with a clear fix gets respected; one that dumps 300 mixed findings gets muted.
# a pragmatic gate: new critical/high findings block; the rest inform$ checkov -d . --baseline .checkov.baseline --hard-fail-on HIGH,CRITICAL \--soft-fail-on LOW,MEDIUM --compact