Skip to content

ci: enable security checks on push #3151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 28, 2025
Merged

ci: enable security checks on push #3151

merged 1 commit into from
Nov 28, 2025

Conversation

@mramotowski
Copy link
Contributor

@mramotowski mramotowski commented Nov 27, 2025

πŸ“ Description

  • Provide a clear summary of the changes and the issue that has been addressed.
  • πŸ› οΈ Fixes # (issue number)

✨ Changes

Select what type of change your PR is:

  • πŸš€ New feature (non-breaking change which adds functionality)
  • 🐞 Bug fix (non-breaking change which fixes an issue)
  • πŸ”„ Refactor (non-breaking change which refactors the code base)
  • ⚑ Performance improvements
  • 🎨 Style changes (code style/formatting)
  • πŸ§ͺ Tests (adding/modifying tests)
  • πŸ“š Documentation update
  • πŸ“¦ Build system changes
  • 🚧 CI/CD configuration
  • πŸ”§ Chore (general maintenance)
  • πŸ”’ Security update
  • πŸ’₯ Breaking change (fix or feature that would cause existing functionality to not work as expected)

βœ… Checklist

Before you submit your pull request, please make sure you have completed the following steps:

  • πŸ“š I have made the necessary updates to the documentation (if applicable).
  • πŸ§ͺ I have written tests that support my changes and prove that my fix is effective or my feature works (if applicable).
  • 🏷️ My PR title follows conventional commit format.

For more information about code review checklists, see the Code Review Checklist.

Copilot AI review requested due to automatic review settings November 27, 2025 07:22
@mramotowski mramotowski force-pushed the mramotow/fix-security branch from 90ca86f to 0b72867 Compare November 27, 2025 07:23
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables security checks to run on pull requests in addition to scheduled runs, likely for testing purposes. The changes include adding a pull_request trigger and modifying the scan configuration to always use full scan settings regardless of trigger type.

Key Changes:

  • Added pull_request trigger to enable security scans on PRs (marked as temporary for testing)
  • Modified scan parameters to always use comprehensive settings instead of conditional logic

πŸ’‘ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/security-checks.yaml Outdated
Comment on lines 56 to 59
#DELETE AFTER TESTING
pull_request:
#DELETE AFTER TESTING

Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The temporary testing comments should be removed before merging to main. Consider using a feature branch or draft PR status instead of leaving TODO comments in the codebase.

Suggested change
#DELETE AFTER TESTING
pull_request:
#DELETE AFTER TESTING

Copilot uses AI. Check for mistakes.
.github/workflows/security-checks.yaml Outdated
tools: ${{ 'bandit,clamav,semgrep,trivy,zizmor' || inputs.tools }}
scan-scope: ${{ 'all' || inputs.scan-scope }}
severity-level: ${{ 'LOW' || inputs.severity-level }}
confidence-level: ${{ 'LOW' || inputs.confidence-level }}
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logical OR operator in GitHub Actions expressions doesn't work as intended here. A non-empty string is always truthy, so inputs.tools will never be used. The original conditional logic github.event_name == 'schedule' && 'value' || inputs.value should be restored or replaced with proper conditional logic that accounts for the new pull_request trigger.

Suggested change
tools: ${{ 'bandit,clamav,semgrep,trivy,zizmor' || inputs.tools }}
scan-scope: ${{ 'all' || inputs.scan-scope }}
severity-level: ${{ 'LOW' || inputs.severity-level }}
confidence-level: ${{ 'LOW' || inputs.confidence-level }}
tools: ${{ github.event_name == 'schedule' && 'bandit,clamav,semgrep,trivy,zizmor' || inputs.tools }}
scan-scope: ${{ github.event_name == 'schedule' && 'all' || inputs['scan-scope'] }}
severity-level: ${{ github.event_name == 'schedule' && 'LOW' || inputs['severity-level'] }}
confidence-level: ${{ github.event_name == 'schedule' && 'LOW' || inputs['confidence-level'] }}

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@AlexanderBarabanov AlexanderBarabanov Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mramotowski - could you take a look?

@mramotowski mramotowski marked this pull request as ready for review November 27, 2025 07:39
@mramotowski mramotowski marked this pull request as draft November 27, 2025 07:40
@mramotowski mramotowski force-pushed the mramotow/fix-security branch from 0b72867 to ea6f587 Compare November 27, 2025 07:43
@mramotowski mramotowski marked this pull request as ready for review November 27, 2025 07:43
Copilot AI review requested due to automatic review settings November 27, 2025 07:43
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

πŸ’‘ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

AlexanderBarabanov
AlexanderBarabanov reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

@AlexanderBarabanov AlexanderBarabanov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Could you trigger scans on PR https://github.com/open-edge-platform/anomalib/pull/3151/checks?

Image

@mramotowski
Copy link
Contributor Author

mramotowski commented Nov 27, 2025

Thank you! Could you trigger scans on PR https://github.com/open-edge-platform/anomalib/pull/3151/checks?

Image

https://github.com/open-edge-platform/anomalib/actions/runs/19728403225/job/56524094782?pr=3151

@mramotowski mramotowski force-pushed the mramotow/fix-security branch from ea6f587 to 14456a0 Compare November 27, 2025 10:13
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

πŸ’‘ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/security-checks.yaml Outdated
Comment on lines 64 to 65
- "bandit,semgrep,trivy,zizmor"
- "bandit,clamav,semgrep,trivy,zizmor" # Default set
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment '# Default set' is on line 65, but line 67 shows the actual default is 'bandit,clamav,semgrep,trivy,zizmor'. The comment should be moved to match the default value on line 67 or the comment on line 65 should be removed to avoid confusion.

Copilot uses AI. Check for mistakes.
@mramotowski mramotowski force-pushed the mramotow/fix-security branch from 14456a0 to 1dda80f Compare November 27, 2025 10:37
@codecov-commenter
Copy link

codecov-commenter commented Nov 27, 2025

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

βœ… All modified and coverable lines are covered by tests.

πŸ“’ Thoughts on this report? Let us know!

@mramotowski mramotowski enabled auto-merge (squash) November 27, 2025 13:04
@ashwinvaidya17 ashwinvaidya17 merged commit 0b70a1d into main Nov 28, 2025
23 of 25 checks passed
@ashwinvaidya17 ashwinvaidya17 deleted the mramotow/fix-security branch November 28, 2025 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ashwinvaidya17 ashwinvaidya17 ashwinvaidya17 approved these changes

@AlexanderBarabanov AlexanderBarabanov AlexanderBarabanov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mramotowski @codecov-commenter @ashwinvaidya17 @AlexanderBarabanov