felickz
commented
1 month ago Hey there,
We actually have a separate script that is intended to be run in a PR, check out this one: https://github.com/microsoft/GHAzDO-Resources/tree/main/src/pr-gating
It runs a diff comparing the default branch alerts against what is newly discovered on a scan against a PR merge branch and shows annotations comments and allows to get the PR.
Hello,
Regarding the PowerShell gating script, it works well but there seems to be some sort of quirk with this for the dependency scanning.
We are using the script for pull request builds as well so that we can fix any dependency alerts that were flagged when the build last ran on master or if any new dependency issues are introduced in the updated code (pull request).
If we update a dependency that has been flagged when the build was last run on master in a pull request, the alert does not seem to clear even though a full dependency scan is being run, meaning the same results are returned all the time from when the build last run on maste*. So, we cannot actually see if what we have fixed is actually fixed and resolved. Only once the code is merged to master and the build is run and the dependency scanning happens then we see that the alert is cleared.
This does not seem right. If during a pull request build the dependency scanning is happening and if a previous dependency scan alert that has been flagged is now fixed in the pull request the alert results should be updated as well.
I wanted to ask if you are aware of any limitations when the dependency scanning happens for a pull request build? If it does not work for a pull request build meaning that only the dependency scan alerts for master build are shown and not for pull request branches via the API then I believe this should not work or maybe should be excluded from pull request build as it is not accurate.
Thank you.