packit
Automatically configure Packit projects to use OpenScanHub
As of now, we are scanning only 73 packages through OpenScanHub integration with Packit. This issue tracks opening pull requests to configure projects to start submitting scans to OpenScanHub.
This list contains packages currently being scanned through OpenScanHub via Packit.
Another possibility is to do differential scans with latest koji builds. Although the results may look confusing as they may contain findings from changes outside a pull request. So, it probably makes sense to do such scans before a package release.
Although the results may look confusing as they may contain findings from changes outside a pull request.
I agree this could be quite misleading and inaccurate, so I would probably avoid doing that.
So, it probably makes sense to do such scans before a package release.
Can you elaborate on this a bit, please?
Although the results may look confusing as they may contain findings from changes outside a pull request.
I agree this could be quite misleading and inaccurate, so I would probably avoid doing that.
So, it probably makes sense to do such scans before a package release.
Can you elaborate on this a bit, please?
We can do a differential scan on each commit to the target branch, but that could be too resource consuming and results may not be visible to the user. I was thinking about triggering a differential scan with one of these jobs, but I am not sure how we can make the results visible to the user. Otherwise, we may just have to rely on Packit as the Fedora CI to perform a differential scan.
I was thinking about triggering a differential scan with one of these jobs, but I am not sure how we can make the results visible to the user. Otherwise, we may just have to rely on Packit as the Fedora CI to perform a differential scan.
Ah I see, thanks for the explanation! Those are though triggered on upstream release, so doing that would have a similar effect as triggering directly on downstream pull requests.