ansys · RobPasMue · Feb 26, 2024 · Feb 26, 2024 · Feb 26, 2024
@@ -105,6 +105,14 @@ inputs:
     required: false
     type: boolean
 
+  create-issues:
+    description: >
+      Whether to create issues for new advisories detected.
+      By default, issues are NOT created for new advisories detected.
+    default: false
+    required: false
+    type: boolean
+
   checkout:
     description: >
       Whether to clone the repository in the CI/CD machine. Default value is
@@ -142,6 +150,10 @@ runs:
           echo "DEPENDENCY_CHECK_DRY_RUN=1" >> $GITHUB_ENV
           echo "DEPENDENCY_CHECK_ERROR_EXIT=1" >> $GITHUB_ENV
         fi
+        if [[ ${{ inputs.create-issues }} == 'true' ]];
+        then
+          echo "DEPENDENCY_CHECK_CREATE_ISSUES=1" >> $GITHUB_ENV
+        fi
 
     - name: "Install Git and clone project"
       uses: actions/checkout@v4
@@ -212,6 +224,7 @@ runs:
         REPOSITORY = os.environ.get("DEPENDENCY_CHECK_REPOSITORY", None)
         DRY_RUN = True if os.environ.get("DEPENDENCY_CHECK_DRY_RUN", None) else False
         ERROR_IF_NEW_ADVISORY = True if os.environ.get("DEPENDENCY_CHECK_ERROR_EXIT", None) else False
+        CREATE_ISSUES = True if os.environ.get("DEPENDENCY_CHECK_CREATE_ISSUES", None) else False
 
 
         def dict_hash(dictionary: Dict[str, Any]) -> str:
@@ -315,7 +328,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -330,7 +344,7 @@ runs:
 
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New safety advisory detected
                     safety_results_reported += 1
@@ -412,7 +426,8 @@ runs:
                     )
 
                     # Create an issue
-                    issue_body = f"""
+                    if CREATE_ISSUES:
+                        issue_body = f"""
         A new security advisory was open in this repository. See {advisory.html_url}.
 
         ---
@@ -426,7 +441,7 @@ runs:
         #### Description
         {desc}
         """
-                    repo.create_issue(title=summary, body=issue_body, labels=["security"])
+                        repo.create_issue(title=summary, body=issue_body, labels=["security"])
                 else:
                     # New bandit advisory detected
                     bandit_results_reported += 1

@@ -7,9 +7,15 @@
 from one version of the actions to another, and other upstream dependencies that
 have been updated.

 Development version
 -------------------
 
+**New features:**
+
+- Obscuring vulnerabilities results in ``ansys/action/check-vulnerabilities``. This is useful when you want to hide the
+  vulnerabilities from the logs, but still want to fail the action if vulnerabilities are found.
+- Avoid creating issues by default if vulnerabilities are found in ``ansys/action/check-vulnerabilities``.
+
 **Breaking Changes:**
 
 - N/A
@@ -24,7 +30,7 @@
 **New features:**

 - Added ``ansys/action/check-vulnerabilities`` to check for third party and first party vulnerabilities.
  This action uses ``bandit`` and ``safety`` to check for vulnerabilities in the code and dependencies, respectively.
 - Added ``ansys/actions/docker-style`` to check for Dockerfile style issues using ``hadolint``.
 - Allow ``vale`` version input in ``ansys/actions/doc-style`` action. By default, ``2.29.6`` is used.
 - Allow using the twine ``--skip-existing`` flag in the ``ansys/actions/release-pypi-*`` actions.