I think fail_on input doesn't work very well for a CI workflow. Ideally, before failing we should upload the SARIF to GitHub.
So that users are aware of which deps made the workflow fail.
and the other thing, if for a PR admin sets fail_on to never as he wants to see vuln. uploaded on GH security tab, but he will get CRDA scan passed in the label.
Both the things are kind of contradictory, on one side he is getting vuln in the security tab, and also he is getting crda scan passed.
Probably we should update the labels:
crda-found-warning ---> in case of warning
crda-found-error ---> in case of error
crda scan passed --> no vulnerability
crda-scan-failed --> for workflow failure/anything wrong
I think
fail_oninput doesn't work very well for a CI workflow. Ideally, before failing we should upload the SARIF to GitHub. So that users are aware of which deps made the workflow fail. and the other thing, if for a PR admin setsfail_ontoneveras he wants to see vuln. uploaded on GH security tab, but he will getCRDA scan passedin the label. Both the things are kind of contradictory, on one side he is getting vuln in the security tab, and also he is getting crda scan passed. Probably we should update the labels: