GHAS Compliance Action Default Branch Limitation

[HaleenUptain]

Description

Limitation identified using Code Scanning and Secret Scanning checks, they are only supported on the default branch. We had hoped these checks could be performed on branch pushes and PRs to catch alerts before they are propagated to the default branch but that functionality does not seem to be supported.

Propose Solution

Working with this action we like what we see. We are very interested in this concept and the ability to push security checks farther left in the development process. Proposed solution is to modify this action to work on any branch, not just the default branch, so checks catch alerts on branch pushes and PRs before they are propagated to the default branch.

[GeekMasher]

@HaleenUptain You are right and some of this is missing functionality. For Secret Scanning and Dependabot, we can only get the current alerts with no associated data such as branch "first detected in".

Code Scanning using the ref from the Action which comes from Actions and should work.

• https://github.com/GeekMasher/advanced-security-compliance/blob/main/ghascompliance/octokit/octokit.py#L54
• https://github.com/GeekMasher/advanced-security-compliance/blob/main/ghascompliance/checks.py#L64

I might have to write some tests and make sure this does work as intended.

How important is this functionality to you? I can spend some time this / next week building this out as it would take long to build out

[HaleenUptain]

@GeekMasher Ability to run a GHAS Compliance action against non-default branches to stop alerts before they are merged into the default branch is critical functionality we are looking for in a GHAS Compliance action. If we could at least get that working for "Code Scanning" that would help and be a big step forward.

Looks like the passed in ref is never used.

• https://github.com/GeekMasher/advanced-security-compliance/blob/main/ghascompliance/octokit/codescanning.py#L8

Our tests also indicate that ref is not used. We ran a couple bare minimum tests to prove this out. Simple stand alone compliance job using workflow_dispatch to run the jobs manually. Note: Code scanning is the only compliance feature we have turned on in these tests.

Default Branch Test - main
main branch has no high alerts. Policy snippet:
codescanning:
level: error
Standalone compliance job running in main reports that correctly. Ref in .yml is set to:
ref: refs/heads/main

Non-Default Branch Test - featurebranch_test
featurebranch_test has one high alert.
Compliance job running in main is not returning expected result when we change ref in .yml to point to a non-default branch. We would expect the high alert on featurebranch_test branch to show as a threshold violation:
ref: refs/heads/featurebranch_test

[GeekMasher]

@HaleenUptain I have moved this repository to a more official repository https://github.com/advanced-security/policy-as-code .

This issue is top priority for myself so I will be working on in before the holidays, please check the new issue opened here

advanced-security/policy-as-code#2