megalinter icon indicating copy to clipboard operation
megalinter copied to clipboard

Published 20 hours ago • verified publisher icon oxsecurity

:bulb: Automatically create an issue for each tool with errors

Open RolfMoleman opened this issue 1 year ago • 2 comments

Problem

We use megalinter in incremental non-blocking form (modified exit code, validate_codebase set to false) in pull requests and in full blocking form on a nightly schedule. I’d expect to see an option to have issues created for failures of individual tools

Suggested Solution

If not inside megaliter itself, some advice on how I could automatically raise issues if for example Chekov finds issues with the terraform.

Alternative Solutions

I could leave the megalinter exit code alone and have an issue created when it fails, but then megalinter becomes a blocker which our org isn't yet ready for. Also this would imply the issue is with megalinter rather than a specific tool inside it finding problems.

Additional Context

I'd like to see vulnerabilities have an issue created for teams to track progress to a resolution.

RolfMoleman avatar Nov 12 '23 08:11 RolfMoleman

@RolfMoleman do you mean that if 5 tools find errors on a PR, you want to create one GitHub issue by tool ?

I'm afraid that if we do that, it will generate a dozens of issues that nobody will look for :/

In which context do you use MegaLinter ?

nvuillam avatar Dec 17 '23 10:12 nvuillam

@RolfMoleman do you mean that if 5 tools find errors on a PR, you want to create one GitHub issue by tool ?

I'm afraid that if we do that, it will generate a dozens of issues that nobody will look for :/

In which context do you use MegaLinter ?

Hi @nvuillam,

I can see how it could be too noisy for some teams yes, but that's why I think an option would be helpful.

We use MegaLinter in both Azure DevOps pipelines and GitHub workflows. There are some errors/warnings that whilst they should ideally be resolved are less crucial such as some formatting/linting ones. However, security based error such as those from the lies do KICS, Trufflehog, Chekov etc. it would be nice to have the option to have a separate issue created to resolve specific issues.

Perhaps an issue reporter flag in the config file where we can include the options for all (for an issue per tool/linter with errors), Megalinter (for one issue that displays the Megalinter table, or perhaps something a bit like the renovate dependency dashboard) and the ability to list linters/tools for an issue o be created for each similar to the enable_linters option. I guess to reduce noise there could be an issue_level option which would refer to the serilog log_level so that if set as error would only create an issue for errors, if set to warning would create issues for warnings and above etc.

I hope that makes sense

RolfMoleman avatar Dec 17 '23 11:12 RolfMoleman