search

stacklok / minder

Software Supply Chain Security Platform
https://minder-docs.stacklok.dev/
Apache License 2.0
241 stars 34 forks source link

Create a rule type for code scanning analyses to report and remediate scanning alerts #2228

Open meganbruce opened 7 months ago

meganbruce commented 7 months ago

Please describe the enhancement

Minder can currently enable code scanning for a repo, and make sure that it's continually enabled. However, understanding whether code scanning is on in a repo entails more than just whether it's enabled. You could have code scanning on, but the results could be failing and no action is being taken. Making sure that those alerts from failed code scans are being uploaded to a repo so that action can be taken is really important.

Solution Proposal

The GitHub API has an endpoint to list / get code scanning analyses for a repo. We could do something with this to better support CodeQL enablement and adoption, like open a PR with failed code scanning alerts for a remediation action.

Per GitHub, this endpoint also works if the customer is using a 3P code scanning tool, like Trivy.

Additional context

This suggestion came from a conversation with a Field Engineer at GitHub.

evankanderson commented 1 month ago

@ethomson for feature prioritization