Raising of GitHub Security events for vulnerable packages

[mcavey-arch]

I have setup FrogBot for the repository scan as per the documentation - I have successfully setup FrogBot for PR scanning, which is working well.

My question is - in a repository that I know has package vulnerabilities (Identified by FrogBot in the PR workflow with JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"), when the repo scan action runs I am expecting GitHub Security Events to be produced for the vulnerable packages - but this doesn't occur.

09:53:30 [Info] Running SCA scan for nuget vulnerable dependencies in /tmp/jfrog.cli.temp.-1718272409-1318956605/src directory...
09:53:30 [Info] Calculating NuGet dependencies...
09:53:30 [Info] Dependencies sources were not detected nor 'install' command provided. Running 'restore' command
09:53:53 [Info] Scanning 211 nuget dependencies...
09:53:54 [Info] Waiting for scan to complete on JFrog Xray...
09:54:05 [Info] Xray scan completed
09:54:05 [Warn] upload code scanning for main branch failed with: POST https://api.github.com/repos/archinsurance/aeis-x3-sonar-exporter/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
09:54:06 [Info] Frogbot "scan-repository" command finished successfully

When there are no vulnerable packages, there is a log message stating there are none - but the logs don't contain any such statement but the action completes.

So:

• Is my understanding of the expected behavior wrong?
• Are repository scans and raising of GitHub Security Events a feature that requires JFrog Advanced security?
• Is there further configuration I need to do?

[eranturgeman]

Hello @mcavey-arch and thank you for using Frogbot! As for you questions: 1) Yes, you understand the behavior correctly. If Frogbot didn't find any security vulnerabilities it will print a message to the log that states that no security vulnerabilities were found. If it does find - it will present the results as PR comments 2) Repository scans should raise GitHub Security events that are presented in GitHub Security Tab, BUT - this is a feature that needs to be acquired from GitHub itself. Do you this feature in your repositories? 3) From the logs you've sent I cannot really know how you configured Frogbot. If Frogbot is completing without any errors so you probably configured it correctly. If you have any doubts about your configuration or need any further assistance with your Frogbot configuration, please contact your Frogbot representative or open another issue about the specific configuration option you want to ask about, so I can provide the best answer for you :)

[mcavey-arch]

Ah ok, I think answer 2 is the issue - im not aware of acquiring anything from GitHub.

Do you know which feature we would need to acquire from github?

[eranturgeman]

Im not really sure, as it is related to Github itself and not our platform. I think you get it if you have an Enterprise license, but it is best to check in Github documentation, Im sure it can provide better answer than me on this subject. Happy I could assist. Im closing this GitHub issue, but if you need any other questions or help please feel free to contact us again :)