Skip to content

Commit

Permalink
docs: Add PREVIEW label on PR comment options
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Sep 17, 2024
1 parent 52ee897 commit 0a1d722
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 20 deletions.
36 changes: 24 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,17 +195,19 @@ Note that this may require a [GitHub Advanced Security](https://docs.github.com/

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down Expand Up @@ -348,17 +350,19 @@ Note that this may require a [GitHub Advanced Security](https://docs.github.com/

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down Expand Up @@ -458,17 +462,19 @@ If `DO_JOB_SUMMARY` is set to `true` (implied if any of the other two `JOB_SUMMA

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down Expand Up @@ -898,17 +904,19 @@ Note that this may require a [GitHub Advanced Security](https://docs.github.com/

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down Expand Up @@ -1207,17 +1215,19 @@ Note that this may require a [GitHub Advanced Security](https://docs.github.com/

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down Expand Up @@ -1383,17 +1393,19 @@ If `DO_JOB_SUMMARY` is set to `true` (implied if any of the other two `JOB_SUMMA

<!-- START-INCLUDE:env-do-pr-comment.md -->

**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL
**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL *(PREVIEW)*
If `DO_PR_COMMENT` is set to `true` (implied if any of the other two `PR_COMMENT_*` variables are set, and implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided [FoD `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/fod-actions.html#_github_pr_comment) or [SSC `github-pr-comment`](https://fortify.github.io/fcli/dev_develop/ssc-actions.html#_github_pr_comment) action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used.

Note that pull request comments will only be generated under the following conditions:

* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
* Standard `GITHUB_REF_NAME` environment variable points to a pull request, which is only the case on GitHub `pull_request` triggers and not for example `manual` triggers.
* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.

PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.

Given that there are many scenarios where PR comments may list incorrect data, for example when above requirements are not met, this functionality is currently considered PREVIEW functionality. Based on customer feedback, internal research and potential SSC/FoD improvements, we may be able to either improve the current implementation, or potentially decide to remove this functionality if it doesn't work reliably.

<!-- END-INCLUDE:env-do-pr-comment.md -->


Expand Down
Loading

0 comments on commit 0a1d722

Please sign in to comment.