shivasurya
diff --git a/‎sourcecode-parser/cmd/ci.go‎
Lines changed: 20 additions & 12 deletions b/‎sourcecode-parser/cmd/ci.go‎
Lines changed: 20 additions & 12 deletions
diff --git a/‎sourcecode-parser/cmd/exit_code_integration_test.go‎
Lines changed: 230 additions & 0 deletions b/‎sourcecode-parser/cmd/exit_code_integration_test.go‎
Lines changed: 230 additions & 0 deletions
diff --git a/‎sourcecode-parser/cmd/scan.go‎
Lines changed: 16 additions & 2 deletions b/‎sourcecode-parser/cmd/scan.go‎
Lines changed: 16 additions & 2 deletions
@@ -38,6 +38,7 @@ Examples:
 		outputFormat, _ := cmd.Flags().GetString("output")
 		verbose, _ := cmd.Flags().GetBool("verbose")
 		debug, _ := cmd.Flags().GetBool("debug")
+		failOnStr, _ := cmd.Flags().GetString("fail-on")
 
 		// Setup logger with appropriate verbosity
 		verbosity := output.VerbosityDefault
@@ -48,6 +49,14 @@ Examples:
 		}
 		logger := output.NewLogger(verbosity)
 
+		// Parse and validate --fail-on severities
+		failOn := output.ParseFailOn(failOnStr)
+		if len(failOn) > 0 {
+			if err := output.ValidateSeverities(failOn); err != nil {
+				return err
+			}
+		}
+
 		if rulesPath == "" {
 			return fmt.Errorf("--rules flag is required")
 		}
@@ -107,13 +116,15 @@ Examples:
 		var allEnriched []*dsl.EnrichedDetection
 		allDetections := make(map[string][]dsl.DataflowDetection) // For SARIF compatibility
 		var scanErrors []string
+		hadErrors := false
 
 		for _, rule := range rules {
 			detections, err := loader.ExecuteRule(&rule, cg)
 			if err != nil {
 				errMsg := fmt.Sprintf("Error executing rule %s: %v", rule.Rule.ID, err)
 				logger.Warning("%s", errMsg)
 				scanErrors = append(scanErrors, errMsg)
+				hadErrors = true
 				continue
 			}
 
@@ -139,10 +150,6 @@ Examples:
 			if err := formatter.Format(allEnriched, scanInfo); err != nil {
 				return fmt.Errorf("failed to format SARIF output: %w", err)
 			}
-			if len(allEnriched) > 0 {
-				osExit(1)
-			}
-			return nil
 		case "json":
 			summary := output.BuildSummary(allEnriched, len(rules))
 			scanInfo := output.ScanInfo{
@@ -154,22 +161,22 @@ Examples:
 			if err := formatter.Format(allEnriched, summary, scanInfo); err != nil {
 				return fmt.Errorf("failed to format JSON output: %w", err)
 			}
-			if len(allEnriched) > 0 {
-				osExit(1)
-			}
-			return nil
 		case "csv":
 			formatter := output.NewCSVFormatter(nil)
 			if err := formatter.Format(allEnriched); err != nil {
 				return fmt.Errorf("failed to format CSV output: %w", err)
 			}
-			if len(allEnriched) > 0 {
-				osExit(1)
-			}
-			return nil
 		default:
 			return fmt.Errorf("unknown output format: %s", outputFormat)
 		}
+
+		// Determine exit code based on findings and --fail-on flag
+		exitCode := output.DetermineExitCode(allEnriched, failOn, hadErrors)
+		if exitCode != output.ExitCodeSuccess {
+			osExit(int(exitCode))
+		}
+
+		return nil
 	},
 }
 
@@ -185,6 +192,7 @@ func init() {
 	ciCmd.Flags().StringP("output", "o", "sarif", "Output format: sarif or json (default: sarif)")
 	ciCmd.Flags().BoolP("verbose", "v", false, "Show progress and statistics")
 	ciCmd.Flags().Bool("debug", false, "Show debug diagnostics with timestamps")
+	ciCmd.Flags().String("fail-on", "", "Fail with exit code 1 if findings match severities (e.g., critical,high)")
 	ciCmd.MarkFlagRequired("rules")
 	ciCmd.MarkFlagRequired("project")
 }
@@ -0,0 +1,230 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestExitCodes_Integration tests actual binary exit codes.
+// This test requires the binary to be built first: gradle buildGo.
+func TestExitCodes_Integration(t *testing.T) {
+	// Skip if INTEGRATION env var not set
+	if os.Getenv("INTEGRATION") == "" {
+		t.Skip("Skipping integration test. Set INTEGRATION=1 to run.")
+	}
+
+	binaryPath := "../build/go/pathfinder"
+	if _, err := os.Stat(binaryPath); os.IsNotExist(err) {
+		t.Skip("Binary not found. Run 'gradle buildGo' first.")
+	}
+
+	// Get absolute path to test fixtures
+	fixturesDir, err := filepath.Abs("../test/fixtures")
+	require.NoError(t, err)
+
+	tests := []struct {
+		name         string
+		projectPath  string
+		rulesPath    string
+		failOn       string
+		command      string
+		outputFormat string
+		expectedExit int
+	}{
+		{
+			name:         "Clean project - no findings",
+			projectPath:  filepath.Join(fixturesDir, "clean_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/simple.py"),
+			failOn:       "",
+			command:      "scan",
+			expectedExit: 0,
+		},
+		{
+			name:         "Findings without fail-on",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/simple.py"),
+			failOn:       "",
+			command:      "scan",
+			expectedExit: 0,
+		},
+		{
+			name:         "Critical findings with fail-on critical",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/critical.py"),
+			failOn:       "critical",
+			command:      "scan",
+			expectedExit: 1,
+		},
+		{
+			name:         "High findings with fail-on critical,high",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/high.py"),
+			failOn:       "critical,high",
+			command:      "scan",
+			expectedExit: 1,
+		},
+		{
+			name:         "Low findings with fail-on critical,high",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/low.py"),
+			failOn:       "critical,high",
+			command:      "scan",
+			expectedExit: 0,
+		},
+		{
+			name:         "CI mode - SARIF with findings, no fail-on",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/simple.py"),
+			failOn:       "",
+			command:      "ci",
+			outputFormat: "sarif",
+			expectedExit: 0,
+		},
+		{
+			name:         "CI mode - JSON with critical findings and fail-on",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/critical.py"),
+			failOn:       "critical",
+			command:      "ci",
+			outputFormat: "json",
+			expectedExit: 1,
+		},
+		{
+			name:         "CI mode - CSV with findings but no fail-on match",
+			projectPath:  filepath.Join(fixturesDir, "vulnerable_project"),
+			rulesPath:    filepath.Join(fixturesDir, "rules/low.py"),
+			failOn:       "critical,high",
+			command:      "ci",
+			outputFormat: "csv",
+			expectedExit: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := []string{tt.command, "--project", tt.projectPath, "--rules", tt.rulesPath}
+
+			if tt.command == "ci" && tt.outputFormat != "" {
+				args = append(args, "--output", tt.outputFormat)
+			}
+
+			if tt.failOn != "" {
+				args = append(args, "--fail-on", tt.failOn)
+			}
+
+			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+			defer cancel()
+			cmd := exec.CommandContext(ctx, binaryPath, args...)
+			err := cmd.Run()
+
+			if tt.expectedExit == 0 {
+				assert.NoError(t, err, "Expected exit code 0")
+			} else {
+				var exitErr *exec.ExitError
+				require.ErrorAs(t, err, &exitErr, "Expected exit error")
+				assert.Equal(t, tt.expectedExit, exitErr.ExitCode())
+			}
+		})
+	}
+}
+
+// TestInvalidSeverity_ExitCode2 tests that invalid severities cause exit code 2.
+func TestInvalidSeverity_ExitCode2(t *testing.T) {
+	if os.Getenv("INTEGRATION") == "" {
+		t.Skip("Skipping integration test. Set INTEGRATION=1 to run.")
+	}
+
+	binaryPath := "../build/go/pathfinder"
+	if _, err := os.Stat(binaryPath); os.IsNotExist(err) {
+		t.Skip("Binary not found. Run 'gradle buildGo' first.")
+	}
+
+	fixturesDir, err := filepath.Abs("../test/fixtures")
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		command string
+		failOn  string
+	}{
+		{
+			name:    "Scan with invalid severity",
+			command: "scan",
+			failOn:  "invalid",
+		},
+		{
+			name:    "CI with invalid severity",
+			command: "ci",
+			failOn:  "critical,invalid,high",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			projectPath := filepath.Join(fixturesDir, "clean_project")
+			rulesPath := filepath.Join(fixturesDir, "rules/simple.py")
+
+			args := []string{tt.command, "--project", projectPath, "--rules", rulesPath, "--fail-on", tt.failOn}
+			if tt.command == "ci" {
+				args = append(args, "--output", "json")
+			}
+
+			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+			defer cancel()
+			cmd := exec.CommandContext(ctx, binaryPath, args...)
+			err := cmd.Run()
+
+			var exitErr *exec.ExitError
+			require.ErrorAs(t, err, &exitErr, "Expected exit error")
+			assert.Equal(t, 1, exitErr.ExitCode(), "Invalid severity should cause exit via RunE error")
+		})
+	}
+}
+
+// TestCaseInsensitiveSeverities tests case insensitivity of --fail-on.
+func TestCaseInsensitiveSeverities(t *testing.T) {
+	if os.Getenv("INTEGRATION") == "" {
+		t.Skip("Skipping integration test. Set INTEGRATION=1 to run.")
+	}
+
+	binaryPath := "../build/go/pathfinder"
+	if _, err := os.Stat(binaryPath); os.IsNotExist(err) {
+		t.Skip("Binary not found. Run 'gradle buildGo' first.")
+	}
+
+	fixturesDir, err := filepath.Abs("../test/fixtures")
+	require.NoError(t, err)
+
+	projectPath := filepath.Join(fixturesDir, "vulnerable_project")
+	rulesPath := filepath.Join(fixturesDir, "rules/critical.py")
+
+	tests := []struct {
+		name   string
+		failOn string
+	}{
+		{"Lowercase", "critical"},
+		{"Uppercase", "CRITICAL"},
+		{"Mixed case", "CrItIcAl"},
+		{"Multiple mixed", "CRITICAL,High,MeDiUm"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+			defer cancel()
+			cmd := exec.CommandContext(ctx, binaryPath, "scan", "--project", projectPath, "--rules", rulesPath, "--fail-on", tt.failOn)
+			err := cmd.Run()
+
+			var exitErr *exec.ExitError
+			require.ErrorAs(t, err, &exitErr, "Expected exit error for critical finding")
+			assert.Equal(t, 1, exitErr.ExitCode())
+		})
+	}
+}
@@ -33,6 +33,7 @@ Examples:
 		projectPath, _ := cmd.Flags().GetString("project")
 		verbose, _ := cmd.Flags().GetBool("verbose")
 		debug, _ := cmd.Flags().GetBool("debug")
+		failOnStr, _ := cmd.Flags().GetString("fail-on")
 
 		// Setup logger with appropriate verbosity
 		verbosity := output.VerbosityDefault
@@ -43,6 +44,14 @@ Examples:
 		}
 		logger := output.NewLogger(verbosity)
 
+		// Parse and validate --fail-on severities
+		failOn := output.ParseFailOn(failOnStr)
+		if len(failOn) > 0 {
+			if err := output.ValidateSeverities(failOn); err != nil {
+				return err
+			}
+		}
+
 		if rulesPath == "" {
 			return fmt.Errorf("--rules flag is required")
 		}
@@ -105,10 +114,12 @@ Examples:
 
 		// Execute all rules and collect enriched detections
 		var allEnriched []*dsl.EnrichedDetection
+		var scanErrors bool
 		for _, rule := range rules {
 			detections, err := loader.ExecuteRule(&rule, cg)
 			if err != nil {
 				logger.Warning("Error executing rule %s: %v", rule.Rule.ID, err)
+				scanErrors = true
 				continue
 			}
 
@@ -128,8 +139,10 @@ Examples:
 			return fmt.Errorf("failed to format output: %w", err)
 		}
 
-		if len(allEnriched) > 0 {
-			os.Exit(1) // Exit with error code if vulnerabilities found
+		// Determine exit code based on findings and --fail-on flag
+		exitCode := output.DetermineExitCode(allEnriched, failOn, scanErrors)
+		if exitCode != output.ExitCodeSuccess {
+			os.Exit(int(exitCode))
 		}
 
 		return nil
@@ -172,6 +185,7 @@ func init() {
 	scanCmd.Flags().StringP("project", "p", "", "Path to project directory to scan (required)")
 	scanCmd.Flags().BoolP("verbose", "v", false, "Show progress and statistics")
 	scanCmd.Flags().Bool("debug", false, "Show debug diagnostics with timestamps")
+	scanCmd.Flags().String("fail-on", "", "Fail with exit code 1 if findings match severities (e.g., critical,high)")
 	scanCmd.MarkFlagRequired("rules")
 	scanCmd.MarkFlagRequired("project")
 }