feat: avoid creating issues on vulnerabilities found (by default) (#414)

ansys · Feb 26, 2024 · 2963a50 · 2963a50
1 parent eefb66d
commit 2963a50
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/check-vulnerabilities/action.yml b/check-vulnerabilities/action.yml
@@ -105,6 +105,14 @@ inputs:
     required: false
     type: boolean
 
+  create-issues:
+    description: >
+      Whether to create issues for new advisories detected.
+      By default, issues are NOT created for new advisories detected.
+    default: false
+    required: false
+    type: boolean
+
   checkout:
     description: >
       Whether to clone the repository in the CI/CD machine. Default value is
@@ -142,6 +150,10 @@ runs:
           echo "DEPENDENCY_CHECK_DRY_RUN=1" >> $GITHUB_ENV
           echo "DEPENDENCY_CHECK_ERROR_EXIT=1" >> $GITHUB_ENV
         fi
+        if [[ ${{ inputs.create-issues }} == 'true' ]];
+        then
+          echo "DEPENDENCY_CHECK_CREATE_ISSUES=1" >> $GITHUB_ENV
+        fi
 
     - name: "Install Git and clone project"
       uses: actions/checkout@v4
@@ -212,6 +224,7 @@ runs:
         REPOSITORY = os.environ.get("DEPENDENCY_CHECK_REPOSITORY", None)
         DRY_RUN = True if os.environ.get("DEPENDENCY_CHECK_DRY_RUN", None) else False
         ERROR_IF_NEW_ADVISORY = True if os.environ.get("DEPENDENCY_CHECK_ERROR_EXIT", None) else False
+        CREATE_ISSUES = True if os.environ.get("DEPENDENCY_CHECK_CREATE_ISSUES", None) else False
 
 
         def dict_hash(dictionary: Dict[str, Any]) -> str:
@@ -315,7 +328,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -330,7 +344,7 @@ runs:
 
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New safety advisory detected
                     safety_results_reported += 1
@@ -412,7 +426,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -426,7 +441,7 @@ runs:
         #### Description
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New bandit advisory detected
                     bandit_results_reported += 1

diff --git a/doc/source/migration_guide.rst b/doc/source/migration_guide.rst
@@ -12,6 +12,9 @@ Version ``v5``
 
 **New features:**
 
+- Obscuring vulnerabilities results in ``ansys/action/check-vulnerabilities``. This is useful when you want to hide the
+  vulnerabilities from the logs, but still want to fail the action if vulnerabilities are found.
+- Avoid creating issues by default if vulnerabilities are found in ``ansys/action/check-vulnerabilities``.
 - Added ``ansys/action/check-vulnerabilities`` to check for third party and first party vulnerabilities.
   This action uses ``bandit`` and ``safety`` to check for vulnerabilities in the code and dependencies, respectively.
 - Added ``ansys/actions/docker-style`` to check for Dockerfile style issues using ``hadolint``.