actions
Sarif output
Hello, it would be great if the action was able to do SARIF output to better integrate with GH Advanced Security. Doing so would make the PR comment redundant and I believe would be more idiomatic with how the CodeQL ecosystem integrates.
Hi @ben-wilson-peak ! Could you elaborate a bit more on the workflow you're thinking of, for when you'd use a SARIF output after running the action?
Hi @ben-wilson-peak ! Could you elaborate a bit more on the workflow you're thinking of, for when you'd use a SARIF output after running the action?
Absolutely. I'd like to use it in lieu of the comment output. Personally I find the output to be a little useless. It conveys information but it's not a call for action.
It doesn't need to be SARIF really, I'm happy to change the title. I'm not sure of the functional difference between SARIF with advanced security and just line highlighting. Example here - https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#using-workflow-commands-to-access-toolkit-functions
Suggested fixes directly in the PR would be a killer feature but I understand adds complexity
Thanks @ben-wilson-peak . Agree that there's some usability improvements we could do with the dependency review action to more actionable and contextual to the workflow run. We'll take this into advisement for future improvements!
As far as suggested fixes goes - take a look at using Dependabot to manage dependency updates
Thanks @ben-wilson-peak . Agree that there's some usability improvements we could do with the dependency review action to more actionable and contextual to the workflow run. We'll take this into advisement for future improvements!
As far as suggested fixes goes - take a look at using Dependabot to manage dependency updates
Looking forward to it!
User story wise, we'd ideally like to avoid committing a change which introduces an issue to then have another PR to update the dependency. It would be better to block a bad dep being introduced at the source and patch it there.