akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
7.8 KiB
Executable File
7.8 KiB
Executable File
Supply Chain Security PR Comments Update
Overview
Modified the supply chain security workflow to update or create PR comments that always reflect the current security state, replacing stale scan results with fresh data.
Date: 2026-01-11
Workflow: .github/workflows/supply-chain-verify.yml
Status: ✅ Complete
Problem Statement
Previously, the workflow posted a new comment on each scan run, which meant:
- Old comments with vulnerabilities remained visible even after fixes
- Multiple comments accumulated, causing confusion
- No way to track when the scan was last run
- Difficult to see the current security state at a glance
Solution
Replaced the actions/github-script comment creation with the peter-evans/create-or-update-comment action, which:
- Finds existing comments from the same workflow using a unique HTML comment identifier
- Updates in place instead of creating new comments
- Includes timestamps showing when the scan last ran
- Provides clear status indicators with emojis and formatted tables
Changes Made
1. Split PR Comment Logic into Multiple Steps
Step 1: Determine PR Number
- Extracts PR number from context (handles both
pull_requestandworkflow_runevents) - Returns empty string if no PR found
- Uses
actions/github-scriptwithresult-encoding: stringfor clean output
Step 2: Build PR Comment Body
- Generates timestamp with
date -u +"%Y-%m-%d %H:%M:%S UTC" - Calculates total vulnerabilities
- Creates formatted Markdown comment with:
- Status header with appropriate emoji
- Timestamp and workflow run link
- Vulnerability table with severity counts
- Color-coded emojis (🔴 Critical, 🟠 High, 🟡 Medium, 🔵 Low)
- Links to detailed reports
- Hidden HTML comment for identification:
<!-- supply-chain-security-comment -->
- Saves to
/tmp/comment-body.txtfor next step
Step 3: Update or Create PR Comment
- Uses
peter-evans/create-or-update-comment@v4.0.0 - Searches for existing comments containing
<!-- supply-chain-security-comment --> - Updates existing comment or creates new one
- Uses
edit-mode: replaceto fully replace old content
2. Comment Formatting Improvements
Status Indicators
Waiting for Image
### ⏳ Status: Waiting for Image
The Docker image has not been built yet...
No Vulnerabilities
### ✅ Status: No Vulnerabilities Detected
🎉 Great news! No security vulnerabilities were found in this image.
Vulnerabilities Found
### 🚨 Status: Critical Vulnerabilities Detected
⚠️ **Action Required**: X critical vulnerabilities require immediate attention!
Vulnerability Table
| Severity | Count |
|---|---|
| 🔴 Critical | 2 |
| 🟠 High | 5 |
| 🟡 Medium | 3 |
| 🔵 Low | 1 |
| Total | 11 |
3. Technical Implementation Details
Unique Identifier
- Hidden HTML comment:
<!-- supply-chain-security-comment --> - Allows
create-or-update-commentto find previous comments from this workflow - Invisible to users but searchable by the action
Multi-line Handling
- Comment body saved to file instead of environment variable
- Prevents issues with special characters and newlines
- More reliable than shell heredocs or environment variables
Conditional Execution
- All three steps check for valid PR number
- Steps skip gracefully if not in PR context
- No errors on scheduled runs or release events
Benefits
1. Always Current
- Comment reflects the latest scan results
- No confusion from multiple stale comments
- Clear "Last Updated" timestamp
2. Easy to Understand
- Color-coded severity levels with emojis
- Clear status headers (✅, ⚠️, 🚨)
- Formatted tables for quick scanning
- Links to detailed workflow logs
3. Actionable
- Immediate visibility of critical issues
- Direct links to full reports
- Clear indication of when action is required
4. Reliable
- Handles both
pull_requestandworkflow_runtriggers - Graceful fallback if PR context not available
- No duplicate comments
Testing Recommendations
Manual Testing
-
Create a test PR
git checkout -b test/supply-chain-comments git commit --allow-empty -m "test: supply chain comment updates" git push origin test/supply-chain-comments -
Trigger the workflow
- Wait for docker-build to complete
- Verify supply-chain-verify runs and comments
-
Re-trigger the workflow
- Manually re-run the workflow from Actions UI
- Verify comment is updated, not duplicated
-
Fix vulnerabilities and re-scan
- Update base image or dependencies
- Rebuild and re-scan
- Verify comment shows new status
Automated Testing
Monitor the workflow on:
- Next scheduled run (Monday 00:00 UTC)
- Next PR that triggers docker-build
- Next release
Action Versions Used
| Action | Version | SHA | Notes |
|---|---|---|---|
actions/github-script |
v7.0.1 | 60a0d83039c74a4aee543508d2ffcb1c3799cdea |
For PR number extraction |
peter-evans/create-or-update-comment |
v4.0.0 | 71345be0265236311c031f5c7866368bd1eff043 |
For comment updates |
Example Comment Output
When No Vulnerabilities Found
## 🔒 Supply Chain Security Scan
**Last Updated**: 2026-01-11 15:30:45 UTC
**Workflow Run**: [#123](https://github.com/owner/repo/actions/runs/123456)
---
### ✅ Status: No Vulnerabilities Detected
🎉 Great news! No security vulnerabilities were found in this image.
| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 0 |
| 🟡 Medium | 0 |
| 🔵 Low | 0 |
---
<!-- supply-chain-security-comment -->
When Vulnerabilities Found
## 🔒 Supply Chain Security Scan
**Last Updated**: 2026-01-11 15:30:45 UTC
**Workflow Run**: [#123](https://github.com/owner/repo/actions/runs/123456)
---
### 🚨 Status: Critical Vulnerabilities Detected
⚠️ **Action Required**: 2 critical vulnerabilities require immediate attention!
| Severity | Count |
|----------|-------|
| 🔴 Critical | 2 |
| 🟠 High | 5 |
| 🟡 Medium | 3 |
| 🔵 Low | 1 |
| **Total** | **11** |
📋 [View detailed vulnerability report](https://github.com/owner/repo/actions/runs/123456)
---
<!-- supply-chain-security-comment -->
Troubleshooting
Comment Not Updating
Symptom: New comments created instead of updating existing one
Cause: The hidden HTML identifier might not match
Solution: Check for the exact string <!-- supply-chain-security-comment --> in existing comments
PR Number Not Found
Symptom: Steps skip with "No PR number found"
Cause: Workflow triggered outside PR context (scheduled, release, manual)
Solution: This is expected behavior; comment steps only run for PRs
Timestamp Format Issues
Symptom: Timestamp shows incorrect time or format
Cause: System timezone or date command issues
Solution: Using date -u ensures consistent UTC timestamps
Future Enhancements
- Trend Analysis: Track vulnerability counts over time
- Comparison: Show delta from previous scan
- Priority Recommendations: Link to remediation guides
- Dismiss Button: Allow developers to acknowledge and hide resolved issues
- Integration: Link to JIRA/GitHub issues for tracking
Related Files
.github/workflows/supply-chain-verify.yml- Main workflow file.github/workflows/docker-build.yml- Triggers this workflow