Open meganbruce opened 8 months ago
@ethomson for feature prioritization
@ethomson -- this was a suggestion / request from a prospective user, but it was a GitHub field engineer, so feel free to close with "not something that we've heard from other customers".
Please describe the enhancement
Minder can currently enable code scanning for a repo, and make sure that it's continually enabled. However, understanding whether code scanning is on in a repo entails more than just whether it's enabled. You could have code scanning on, but the results could be failing and no action is being taken. Making sure that those alerts from failed code scans are being uploaded to a repo so that action can be taken is really important.
Solution Proposal
The GitHub API has an endpoint to list / get code scanning analyses for a repo. We could do something with this to better support CodeQL enablement and adoption, like open a PR with failed code scanning alerts for a remediation action.
Per GitHub, this endpoint also works if the customer is using a 3P code scanning tool, like Trivy.
Additional context
This suggestion came from a conversation with a Field Engineer at GitHub.