Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configurations for CI to fail on OSH scan failures and new findings #2515

Open
Tracked by #2516
siteshwar opened this issue Sep 5, 2024 · 6 comments
Open
Tracked by #2516

Comments

@siteshwar
Copy link
Contributor

siteshwar commented Sep 5, 2024

This is a follow up on packit/packit#2371 (reply in thread)

We should add two separate configuration options to cause CI to fail on scan failures and new findings:

  • fail_ci_on_scan_failure should cause CI to become red if OSH scan fails.
  • fail_ci_on_new_findings should cause CI to become red on new findings.

Both of these options should be kept false by default. Because there may be issues with buildroot that can cause a scan to fail, or there may be large amount of false positives for certain projects.

@lachmanfrantisek
Copy link
Member

Thanks @siteshwar for writing this down.

As a first thing, we need to resolve the reporting in general: #2516

@mfocko
Copy link
Member

mfocko commented Sep 5, 2024

I would probably prefer blocking attribute… On GitHub we could set non-blocking to neutral status, if it fails (that doesn't block merging)

@siteshwar
Copy link
Contributor Author

  • fail_ci_on_new_findings should cause CI to become red on new findings.

On a second thought, the status should not be "fail", it should be "action_required" on new findings. Also, it should be "neutral" if there is a new finding, but the CI is not configured to fail.

@siteshwar
Copy link
Contributor Author

This may be more complicated then it looked initially, as we plan to upload SARIF to CodeQL and it has its own checks for severity of the findings that determines the status of the CI.

@mfocko
Copy link
Member

mfocko commented Sep 24, 2024

Can't the CodeQL replace the checks? 🤔

@siteshwar
Copy link
Contributor Author

Can't the CodeQL replace the checks? 🤔

It seems configurable, but the default setting hides results from the user.

We can only keep the osh-diff-scan check and avoid uploading to CodeQL. Check should directly reference the final html report from OpenScanHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: priority-backlog
Development

No branches or pull requests

3 participants