optiqor · nvphungdev · May 17, 2026
@@ -195,7 +195,7 @@ The pipeline is deterministic. The same input always produces the same output. T
 | `--no-color` / `NO_COLOR=1` | Disable ANSI output; auto-detected when piped |
 | `--severity low\|med\|high` | Drop findings below the threshold (analyze) |
 | `--detector <id>` | Repeatable allow-list, e.g. `--detector cpu-overprovisioned --detector image-pinned-latest` |
-| `--fail-on low\|med\|high` | Exit code 1 if any finding meets/exceeds the severity (analyze, audit) |
+| `--fail-on low\|med\|high` | Exit code 1 if any finding meets/exceeds the severity (analyze, audit; unset by default) |
 | `--config <path>` | Load `.optiqor.yaml` from a custom path (default `./.optiqor.yaml` or `$OPTIQOR_CONFIG`) |
 
 ### Exit codes

@@ -569,7 +569,7 @@ func newAuditCmd() *cobra.Command {
 		},
 	}
 	cmd.Flags().BoolVar(&jsonOut, "json", false, "emit machine-readable JSON")
-	cmd.Flags().StringVar(&failOn, "fail-on", "high", "exit code 1 when any finding is at this severity or higher (low|med|high)")
+	cmd.Flags().StringVar(&failOn, "fail-on", "", "exit code 1 when any finding is at this severity or higher (low|med|high)")
 	cmd.Flags().StringVarP(&outputPath, "output", "o", "", "write the rendered output to a file instead of stdout")
 	return cmd
 }

@@ -138,6 +138,20 @@ func TestAnalyze_JSONShape(t *testing.T) {
 	}
 }
 
+func TestAudit_DefaultFailOnIsOptIn(t *testing.T) {
+	cmd := newRootCmd()
+	var buf bytes.Buffer
+	cmd.SetOut(&buf)
+	cmd.SetErr(&buf)
+	cmd.SetArgs([]string{"--no-color", "audit", "../../testdata/fixtures/basic-chart/values.yaml"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("audit without --fail-on should not fail by default: %v\n%s", err, buf.String())
+	}
+	if !strings.Contains(buf.String(), "HIGH") {
+		t.Fatalf("audit fixture should still report high severity findings:\n%s", buf.String())
+	}
+}
+
 func TestResolveColor_NoColorFlag(t *testing.T) {
 	cmd := newRootCmd()
 	if got := resolveColor(cmd, true); got {