-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic feedback of scan results as PR comment #162
Comments
@harmw sorry I missed this earlier. This is a great idea! I think this could probably be a part of the main action, though, instead of a sub-action, just with an option; would that work too? |
yeah totally, just figured having it separate would make it easier to develop (separation of concerns, decoupling) 🙂 (but my JS skills are sub-par) |
The distinction between a sub-action and the main one to me is where you would generally use it in a workflow. For PR comments, you'd use it when the action runs and wouldn't need a separate action. I really do like this idea and was hoping to do something similar for the |
just as an FYI, here's something (completely unrelated) that I'm using inside some actions:
|
Any news? I'm very interested in this feature :) |
Hi, This was exactly what I was looking for. I have a feeling that there's something obvious I'm missing. I've tried something like this, and I do get the output, but as a single line # I have other steps to generate the SBOM and download Grype and it works as expected
- name: Scan SBOM
id: scan
run: echo table=$(${{ steps.grype.outputs.cmd }} -o table --fail-on medium sbom:sbom.spdx.json) >> $GITHUB_OUTPUT My Google-foo is failing me. |
this is how we're doing the scan-sbom-and-write-a-comment:
I now know there are better options out there, but this got us moving in the right direction 😅 |
Perfect - thanks! Thanks a lot |
Another idea, annotations: |
Or opening issues, as done by many actions for Trivy: |
This is how I've implemented the comment functionality for PRs: (workflow, example of the comment) Key features:
|
I'm looking at ways go improve engagement (around security) and one way is to involve my devs a little more in everything security.
Currently the results of a scan (can) go to the GitHub security dashboard, which is fine, but how about a sub action to create a little markdown comment inside the PR?
Simply this:
This would look for a
sarif
file, extract the required bits and post a comment in the PR thread. There's amarkdown
field inside this file which we may want to use, or write out a different message altogether.Thoughts?
The text was updated successfully, but these errors were encountered: