minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

Create a rule type for code scanning analyses to report and remediate scanning alerts

Open meganbruce opened this issue 2 years ago • 2 comments

Please describe the enhancement

Minder can currently enable code scanning for a repo, and make sure that it's continually enabled. However, understanding whether code scanning is on in a repo entails more than just whether it's enabled. You could have code scanning on, but the results could be failing and no action is being taken. Making sure that those alerts from failed code scans are being uploaded to a repo so that action can be taken is really important.

Solution Proposal

The GitHub API has an endpoint to list / get code scanning analyses for a repo. We could do something with this to better support CodeQL enablement and adoption, like open a PR with failed code scanning alerts for a remediation action.

Per GitHub, this endpoint also works if the customer is using a 3P code scanning tool, like Trivy.

Additional context

This suggestion came from a conversation with a Field Engineer at GitHub.

meganbruce avatar Jan 30 '24 20:01 meganbruce

@ethomson for feature prioritization

evankanderson avatar Jul 10 '24 14:07 evankanderson

@ethomson -- this was a suggestion / request from a prospective user, but it was a GitHub field engineer, so feel free to close with "not something that we've heard from other customers".

evankanderson avatar Sep 10 '24 13:09 evankanderson

(Not completed, but we've seen no customer demand)

evankanderson avatar Jan 28 '25 14:01 evankanderson