search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.81k stars 215 forks source link

:bulb: Automatically create an issue for each tool with errors #3090

Open RolfMoleman opened 7 months ago

RolfMoleman commented 7 months ago

Problem

We use megalinter in incremental non-blocking form (modified exit code, validate_codebase set to false) in pull requests and in full blocking form on a nightly schedule. I’d expect to see an option to have issues created for failures of individual tools

Suggested Solution

If not inside megaliter itself, some advice on how I could automatically raise issues if for example Chekov finds issues with the terraform.

Alternative Solutions

I could leave the megalinter exit code alone and have an issue created when it fails, but then megalinter becomes a blocker which our org isn't yet ready for. Also this would imply the issue is with megalinter rather than a specific tool inside it finding problems.

Additional Context

I'd like to see vulnerabilities have an issue created for teams to track progress to a resolution.

nvuillam commented 6 months ago

@RolfMoleman do you mean that if 5 tools find errors on a PR, you want to create one GitHub issue by tool ?

I'm afraid that if we do that, it will generate a dozens of issues that nobody will look for :/

In which context do you use MegaLinter ?

RolfMoleman commented 6 months ago

@RolfMoleman do you mean that if 5 tools find errors on a PR, you want to create one GitHub issue by tool ?

I'm afraid that if we do that, it will generate a dozens of issues that nobody will look for :/

In which context do you use MegaLinter ?

Hi @nvuillam,

I can see how it could be too noisy for some teams yes, but that's why I think an option would be helpful.

We use MegaLinter in both Azure DevOps pipelines and GitHub workflows. There are some errors/warnings that whilst they should ideally be resolved are less crucial such as some formatting/linting ones. However, security based error such as those from the lies do KICS, Trufflehog, Chekov etc. it would be nice to have the option to have a separate issue created to resolve specific issues.

Perhaps an issue reporter flag in the config file where we can include the options for all (for an issue per tool/linter with errors), Megalinter (for one issue that displays the Megalinter table, or perhaps something a bit like the renovate dependency dashboard) and the ability to list linters/tools for an issue o be created for each similar to the enable_linters option. I guess to reduce noise there could be an issue_level option which would refer to the serilog log_level so that if set as error would only create an issue for errors, if set to warning would create issues for warnings and above etc.

I hope that makes sense