Summary
The getting-started page at content/docs/getting-started/_index.md:25 contains the phrase
"a failed-job mechanism blocks the pipeline when controls are not met", which implies that
complyctl scan exits non-zero when controls fail. It does not — scan exits 0 on completion
regardless of findings.
Current wording
a failed-job mechanism blocks the pipeline when controls are not met
Correct behavior
complyctl scan exits 0 on completion regardless of pass/fail findings. Policy findings are
data, not errors. The command exits non-zero only for operational errors (provider failures,
bad configuration, or zero requirements assessed). Pipeline gating requires parsing the
--format output (SARIF, OSCAL) with a policy engine.
Suggested fix
Update the wording to accurately describe how pipeline gating works with complyctl — through
parsing structured output formats, not through exit codes.
Related
Summary
The getting-started page at
content/docs/getting-started/_index.md:25contains the phrase"a failed-job mechanism blocks the pipeline when controls are not met", which implies that
complyctl scanexits non-zero when controls fail. It does not — scan exits 0 on completionregardless of findings.
Current wording
Correct behavior
complyctl scanexits 0 on completion regardless of pass/fail findings. Policy findings aredata, not errors. The command exits non-zero only for operational errors (provider failures,
bad configuration, or zero requirements assessed). Pipeline gating requires parsing the
--formatoutput (SARIF, OSCAL) with a policy engine.Suggested fix
Update the wording to accurately describe how pipeline gating works with complyctl — through
parsing structured output formats, not through exit codes.
Related
scanexits 0 even when controls fail, and the contract is undocumented complyctl#608 —scanexits 0 even when controls fail, and the contract is undocumented