Integration with Github Security Alerts

Question

Integration with Github Security Alerts

Closed this issue a year ago · 3 comments

Github has a Security feature called Security Alerts (https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning), one possibility is to integrate new tools and I think it's interesting to use ZARN for this.

The idea is: when zarn is run on a repository via Github Actions, the output will also be sent to Security Alerts if a vulnerability exists. In principle, the best strategy to do this is to simply send the SARIF result to the Github API: https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#upload-an-analysis-as-sarif-data

This task can only be done after: #11

htrgouvea commented a year ago

Done.

Answer 1 · 2023-11-17T18:42:44.000Z

hey @htrgouvea should this occur by default for everyone who is running zarn on github actions or only for users who, in addition to running github actions, also have a parameter or something they configure that is sent to github code scanning ?

Answer 2 · 2023-11-20T15:01:39.000Z

Hi @giovannism20, the idea is that it is only sent if the person requests it. There needs to be a specific option for this