feat: avoid creating issues on vulnerabilities found (by default) (#414)

ansys · Feb 26, 2024 · 1dc4c2b · 1dc4c2b
1 parent 6875064
commit 1dc4c2b
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/check-vulnerabilities/action.yml b/check-vulnerabilities/action.yml
@@ -105,6 +105,14 @@ inputs:
     required: false
     type: boolean
 
+  create-issues:
+    description: >
+      Whether to create issues for new advisories detected.
+      By default, issues are NOT created for new advisories detected.
+    default: false
+    required: false
+    type: boolean
+
   checkout:
     description: >
       Whether to clone the repository in the CI/CD machine. Default value is
@@ -142,6 +150,10 @@ runs:
           echo "DEPENDENCY_CHECK_DRY_RUN=1" >> $GITHUB_ENV
           echo "DEPENDENCY_CHECK_ERROR_EXIT=1" >> $GITHUB_ENV
         fi
+        if [[ ${{ inputs.create-issues }} == 'true' ]];
+        then
+          echo "DEPENDENCY_CHECK_CREATE_ISSUES=1" >> $GITHUB_ENV
+        fi
 
     - name: "Install Git and clone project"
       uses: actions/checkout@v4
@@ -212,6 +224,7 @@ runs:
         REPOSITORY = os.environ.get("DEPENDENCY_CHECK_REPOSITORY", None)
         DRY_RUN = True if os.environ.get("DEPENDENCY_CHECK_DRY_RUN", None) else False
         ERROR_IF_NEW_ADVISORY = True if os.environ.get("DEPENDENCY_CHECK_ERROR_EXIT", None) else False
+        CREATE_ISSUES = True if os.environ.get("DEPENDENCY_CHECK_CREATE_ISSUES", None) else False
 
 
         def dict_hash(dictionary: Dict[str, Any]) -> str:
@@ -315,7 +328,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -330,7 +344,7 @@ runs:
 
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New safety advisory detected
                     safety_results_reported += 1
@@ -412,7 +426,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -426,7 +441,7 @@ runs:
         #### Description
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New bandit advisory detected
                     bandit_results_reported += 1

diff --git a/doc/source/migration_guide.rst b/doc/source/migration_guide.rst
@@ -10,6 +10,12 @@ have been updated.
 Development version
 -------------------
 
+**New features:**
+
+- Obscuring vulnerabilities results in ``ansys/action/check-vulnerabilities``. This is useful when you want to hide the
+  vulnerabilities from the logs, but still want to fail the action if vulnerabilities are found.
+- Avoid creating issues by default if vulnerabilities are found in ``ansys/action/check-vulnerabilities``.
+
 **Breaking Changes:**
 
 - N/A