Skip to content

Automate Issue Creation for Low and Medium Severity Security FindingsΒ #102

Description

@williaby

πŸ› οΈ Automate Issue Creation for Low and Medium Severity Security Findings

This issue tracks the implementation of automated GitHub Issue creation for security vulnerabilities classified as low or medium severity across supported security tools in the LedgerBase CI pipeline.


🎯 Objective

Extend the LedgerBase security workflows to:

  • ❌ Fail PRs only on high and critical findings
  • βœ… Automatically open GitHub Issues for low and medium severity items
  • πŸ“ˆ Ensure vulnerabilities are logged, tracked, and triaged even if they do not block merges

πŸ“Œ Implementation Plan

1. Enhance Security Summary Parsing

  • Modify the status-summary or dedicated post-processing job to:
    • Parse *.sarif, *.json, and *_output.txt files
    • Extract relevant fields: severity, rule ID, message, file, line
    • Normalize severity levels across tools (LOW, MEDIUM, etc.)

2. Automate GitHub Issue Creation

  • Use actions/github-script or GitHub REST API to:
    • Detect whether an issue for the vulnerability already exists (title or hash match)
    • If not found, create a new issue with:
      • Title: [SECURITY] Medium severity issue in <filename> from <tool>
      • Labels: security, triage, severity:medium or severity:low
      • Body: Include:
        • Tool name
        • Full finding message
        • Affected file and line number
        • Timestamp and job reference

3. Improve Resilience and Filtering

  • Avoid duplicates with hash-based or title-based deduplication
  • Optionally track state in metadata/issues-seen.json artifact or similar

🧰 Targeted Security Tools

  • Bandit (bandit_output.txt)
  • Safety (safety_output.txt)
  • Pip-Audit (audit_results.txt)
  • Semgrep (semgrep-results.json)
  • Trivy (trivy-results.sarif)
  • Snyk (snyk-results.json)

πŸ“Ž Deliverables

  • A reusable script or GitHub Actions step to create issues
  • Full integration into composite security.yml workflow
  • Unit test / dry run mode for local testing or CI preview

πŸš€ Future Considerations

  • Auto-assign based on CODEOWNERS or file paths
  • Add SLA labels like due:90d or needs-review
  • Notify via Slack or email when issues are filed

πŸ”— Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions