New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHAS Compliance Action Default Branch Limitation #72
Comments
@HaleenUptain You are right and some of this is missing functionality. For Secret Scanning and Dependabot, we can only get the current alerts with no associated data such as branch "first detected in". Code Scanning using the ref from the Action which comes from Actions and should work.
I might have to write some tests and make sure this does work as intended. How important is this functionality to you? I can spend some time this / next week building this out as it would take long to build out |
@GeekMasher Ability to run a GHAS Compliance action against non-default branches to stop alerts before they are merged into the default branch is critical functionality we are looking for in a GHAS Compliance action. If we could at least get that working for "Code Scanning" that would help and be a big step forward. Looks like the passed in ref is never used. Our tests also indicate that ref is not used. We ran a couple bare minimum tests to prove this out. Simple stand alone compliance job using workflow_dispatch to run the jobs manually. Note: Code scanning is the only compliance feature we have turned on in these tests. Default Branch Test - main Non-Default Branch Test - featurebranch_test |
@HaleenUptain I have moved this repository to a more official repository https://github.com/advanced-security/policy-as-code . This issue is top priority for myself so I will be working on in before the holidays, please check the new issue opened here |
Description
Limitation identified using Code Scanning and Secret Scanning checks, they are only supported on the default branch. We had hoped these checks could be performed on branch pushes and PRs to catch alerts before they are propagated to the default branch but that functionality does not seem to be supported.
Propose Solution
Working with this action we like what we see. We are very interested in this concept and the ability to push security checks farther left in the development process. Proposed solution is to modify this action to work on any branch, not just the default branch, so checks catch alerts on branch pushes and PRs before they are propagated to the default branch.
The text was updated successfully, but these errors were encountered: