The CreateGithubIssuePerVersion flag causes SecurityScanUtils to open an issue for every version of an image that contains a CVE, however this is overkill in many/most scenarios. When a patch for a given CVE on a given version is applied, it will usually be released as part of a new version and the version in which the CVE was identified will contain the CVE in perpetuity.
Because of this, even if we close such security alert issues, they will always be reopened the next time the scan runs.
Therefore it would be beneficial to have a CreateGithubIssuePerMinorVersion flag that has a similar behavior, but only opens issues for the latest patch version of each minor version. This would ensure that we don't open an excessive number of redundant issues and ensures that once a version that patches a particular CVE is released we do not continue to open (or reopen) issues that alert about that CVE.
The
CreateGithubIssuePerVersionflag causes SecurityScanUtils to open an issue for every version of an image that contains a CVE, however this is overkill in many/most scenarios. When a patch for a given CVE on a given version is applied, it will usually be released as part of a new version and the version in which the CVE was identified will contain the CVE in perpetuity. Because of this, even if we close such security alert issues, they will always be reopened the next time the scan runs.Therefore it would be beneficial to have a
CreateGithubIssuePerMinorVersionflag that has a similar behavior, but only opens issues for the latest patch version of each minor version. This would ensure that we don't open an excessive number of redundant issues and ensures that once a version that patches a particular CVE is released we do not continue to open (or reopen) issues that alert about that CVE.