On Tue, Feb 22, 2022 at 10:17 PM 'Jesse Glick' via Jenkins Developers < jenkinsci-dev@googlegroups.com> wrote:
> I suppose any results would appear in `/security/code-scanning` to repo > admins only? > PR-specific results are shown directly and publicly in the PR. GitHub compares results from the PR to results from the target branch to only show differences. (And if you add the workflow file in a PR, that PR will have all findings, because they're all new…) > Will the *Checks* tab of a PR or trunk commit always be green so long as > scanning completed, even if there are violations? > At the moment, yes, but it's configurable. I can have a rule fail the check by increasing its level from warning to error, but there's at most one rule I'm confident enough about where that would make sense. Feedback welcome of course. > The scan should pass `-ntp` to Maven builds—noisy. It is a bit slower than > I expected too, though I suppose it does not matter much (still finishes > before the Jenkins build). > I'll look into what I can figure out. Unfortunately the Maven invocation is part of the GH proprietary bits. For now I'm wrapping the log spam in a collapsible block in the GH Action output. Regarding duration, note that you can set up a Maven cache if you haven't. That might speed things up some. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BVpNzpAPemA1WyTprOPvV%2Bbd1oeP%2BfOEDtnYfTE_-Mow%40mail.gmail.com.
