Change security slack notifications to alert based on open code scanning results #493
Assignees
Labels
kind/cleanup
engineering focused non-feature work
Comments
benmoss
added
carvel-triage
|
This turned out to be slightly more complicated than I thought since we're scanning the latest release as well. I don't think there's a good way to associate a code scan alert with a release, so for instance if we had a fixed vulnerability in |
|
Reopening since this is gonna bother me forever. I looked into it a bit today but was blocked by github/codeql-action#890. There looks like there will be a fix there shortly so I'll revisit once that's merged. |
github-actions
bot
added
the
carvel-triage
benmoss
removed
the
carvel-triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now our Trivy code scanning workflow will send Slack alerts based on whether the Trivy CLI finds any unresolved issues in our images/binaries. It also posts them to GitHub's Code Scanning tool for our repo, which allows us to mark them as resolved/wontfix.
The problem is that if we have a wontfix it will be closed from GitHub, but Trivy will still report it as present. If we could trigger based on the open Code Scanning tickets instead we could have a better picture of unresolved items. It looks like it should be possible using GitHub's API.
If we get this working we should also fix this with other Carvel projects.
The text was updated successfully, but these errors were encountered: