[Safe Outputs Conformance] Conformance checker script exits early due to set -e and counter increments

[github-actions]

Bug Description

The conformance checker script scripts/check-safe-outputs-conformance.sh exits prematurely when it encounters the first MEDIUM severity failure. This prevents it from running all conformance checks and providing a complete report.

File: scripts/check-safe-outputs-conformance.sh
Line: 6

Root Cause

The script uses set -euo pipefail at the top, which causes the script to exit immediately if any command returns a non-zero exit code. When a MEDIUM failure is logged, the function log_medium() calls:

log_medium() {
    echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
    ((MEDIUM_FAILURES++))
}

When MEDIUM_FAILURES is 0, the arithmetic expression ((MEDIUM_FAILURES++)) evaluates to 0 (the pre-increment value), which bash treats as a "false" result (exit code 1). Combined with set -e, this causes the entire script to exit immediately.

Current Behavior

1. Script runs SEC-001, SEC-002 successfully
2. SEC-003 finds first MEDIUM failure
3. ((MEDIUM_FAILURES++)) increments from 0 to 1, returns 0 (exit code 1)
4. set -e triggers script termination
5. Remaining checks (SEC-004 through IMP-003) never run
6. Summary is never displayed

Expected Behavior

The script should:

1. Run all conformance checks regardless of failures found
2. Accumulate CRITICAL, HIGH, MEDIUM, and LOW failure counts
3. Display complete summary at the end
4. Exit with appropriate code based on highest severity found

Remediation Steps

Option 1: Make counter increments safe (recommended)

Change all counter increment lines to ignore their exit code:

log_critical() {
    echo -e "\$\{RED}[CRITICAL]\$\{NC} $1"
    ((CRITICAL_FAILURES++)) || true
}

log_high() {
    echo -e "\$\{RED}[HIGH]\$\{NC} $1"
    ((HIGH_FAILURES++)) || true
}

log_medium() {
    echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
    ((MEDIUM_FAILURES++)) || true
}

log_low() {
    echo -e "\$\{BLUE}[LOW]\$\{NC} $1"
    ((LOW_FAILURES++)) || true
}

Option 2: Use alternative increment syntax

Replace ((VAR++)) with VAR=$((VAR + 1)) which never returns exit code 1:

log_medium() {
    echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
    MEDIUM_FAILURES=$((MEDIUM_FAILURES + 1))
}

Option 3: Remove set -e (not recommended)

Remove the -e flag from line 6, but this reduces error detection for genuine problems.

Verification

After applying the fix, run:

bash scripts/check-safe-outputs-conformance.sh

The script should:

• ✅ Run all checks (SEC-001 through IMP-003)
• ✅ Display complete conformance summary
• ✅ Show total counts for all severity levels
• ✅ Exit with code 2 if CRITICAL found, 1 if HIGH found, 0 otherwise

Impact

This bug has prevented comprehensive conformance checking since the script was introduced. Past runs likely reported incomplete results, giving a false sense of compliance.

References:

• Script: scripts/check-safe-outputs-conformance.sh
• Workflow Run: §22071409611

Generated by Daily Safe Outputs Conformance Checker

• expires on Feb 17, 2026, 5:06 PM UTC