Skip to content

Revisit Security Reporting EnhancementsΒ #101

Description

@williaby

πŸ” Revisit Security Reporting Enhancements (Follow-up to Issue #97)

This issue tracks the follow-up work related to the consolidated security reporting implementation introduced in Issue #97.

βœ… Current Progress

  • Security tools configured via reusable workflows:
    • Bandit
    • Safety
    • Pip-Audit
    • Semgrep
    • Snyk
    • Trivy
  • All tools report using a standardized output format (*_results.json, *_output.txt, or SARIF)
  • Merged SARIF report generated successfully as merged-security.sarif
  • Composite workflow structure in place using nox-template.yml and nox-template-matrix.yml

πŸ” Outstanding Tasks

1. Ensure All Result Files Are Detected

  • Validate that each security tool is consistently outputting results to its expected file.
  • Review wildcard patterns and filenames used for summary generation (*_results.json, *_output.txt).

2. Improve PR Feedback Loop

  • Add PR comments or annotations based on high severity findings from summary data.
  • Auto-label PRs that include critical vulnerabilities (status:security-failed).
  • Ensure workflows fail on high-severity findings but create issues for moderate/low severities.

3. Add Developer-Friendly Reporting

  • Include vulnerability summary directly in the GitHub Actions run summary.
  • Link to full SARIF or JSON result artifacts when truncated in PR comments.

4. Optional: Multi-Python Version Matrix

  • Run selected security jobs (e.g., Bandit, Safety, Pip-Audit) using a Python version matrix (e.g., 3.11, 3.12).
  • Identify any Python-version-specific issues that are missed by single-version testing.

πŸ“‚ Reference

  • Related Issue: #97
  • Merged SARIF Report: merged-security.sarif
  • Workflow Templates:
    • .github/workflows/templates/nox-template.yml
    • .github/workflows/templates/nox-template-matrix.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions