Harm Weites

having the same issue here, fresh PR with files that are supposedly _not good_ but are new as of this PR workflow: ``` 1 file(s) written: results.json Starting the github...

Some debugging on a private repo with name `ecr-provisioning`: ``` declare -x GITHUB_WORKSPACE="/home/runner/work/ecr-provisioning/ecr-provisioning" ``` In this repo, I have terraform files in a subfolder `./terraform/` and tfsec found an issue...

I found it a little painful to debug so tried adding some meaningful output in https://github.com/aquasecurity/tfsec-pr-commenter-action/pull/64 😅 it is difficult to reproduce though, between local docker and GitHub action 😞...

Those `wget` calls are running in regular anonymous mode, where they are subject to rate-limiting rules. If we change these to use the GITHUB_TOKEN, GitHub will see them as _trusted_,...

yeah totally, just figured having it separate would make it easier to develop (separation of concerns, decoupling) 🙂 (but my JS skills are sub-par)

just as an FYI, here's something (completely unrelated) that I'm using inside some actions: ``` const ok_output = `#### Linter: \`${{ steps.linter.outcome }}\``; const fail_output = ` \`\`\` ${process.env.RESULTS} \`\`\`...

Nice idea, though it should always be possible to use it 'the old fashioned way' - I just want to execute my script, without fiddling with a gui.

Is there something we can do to help testing? These false-positives around `reactor-netty-*` are hitting us in quite some Java and Scala projects - we applied updates, yet _still_ get...

@metalmatze would appreciate your thoughts on this, thank you.

> Thank you for the contribution, and I am sorry for the long silence. > > I'm still wondering if we should have this as part of Pyrra directly or...