Closed mcavey-arch closed 2 months ago
Hello @mcavey-arch and thank you for using Frogbot! As for you questions: 1) Yes, you understand the behavior correctly. If Frogbot didn't find any security vulnerabilities it will print a message to the log that states that no security vulnerabilities were found. If it does find - it will present the results as PR comments 2) Repository scans should raise GitHub Security events that are presented in GitHub Security Tab, BUT - this is a feature that needs to be acquired from GitHub itself. Do you this feature in your repositories? 3) From the logs you've sent I cannot really know how you configured Frogbot. If Frogbot is completing without any errors so you probably configured it correctly. If you have any doubts about your configuration or need any further assistance with your Frogbot configuration, please contact your Frogbot representative or open another issue about the specific configuration option you want to ask about, so I can provide the best answer for you :)
Ah ok, I think answer 2 is the issue - im not aware of acquiring anything from GitHub.
Do you know which feature we would need to acquire from github?
Im not really sure, as it is related to Github itself and not our platform. I think you get it if you have an Enterprise license, but it is best to check in Github documentation, Im sure it can provide better answer than me on this subject. Happy I could assist. Im closing this GitHub issue, but if you need any other questions or help please feel free to contact us again :)
I have setup FrogBot for the repository scan as per the documentation - I have successfully setup FrogBot for PR scanning, which is working well.
My question is - in a repository that I know has package vulnerabilities (Identified by FrogBot in the PR workflow with
JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
), when the repo scan action runs I am expecting GitHub Security Events to be produced for the vulnerable packages - but this doesn't occur.When there are no vulnerable packages, there is a log message stating there are none - but the logs don't contain any such statement but the action completes.
So: