This demonstration Probot application is designed to promote greater visibility of GitHub code scanning alerts by adding a descriptive comment to Pull Requests when:

• a code scanning alert is found on the branch
• a code scanning alert found on the branch is dismissed

and by opening issues in a configured tracking repository in the organization every time a code scanning alert is dismissed by a user. Adding a notification to the Pull Request conversation is helpful for reviewers to understand exactly when alerts were created and, potentially, dismissed.

The application expects a repository named code-scanning-review to exist in the organization. The tracking repository can be used by security teams to review developer teams' code scanning alert dismissals and re-open issues that require further investigation.

Examples

comments in the pull request

issues opened in the tracking repo

Why Probot and not Actions?

GitHub Apps can be installed on all repositories in an organization, a group of repositories, or a single repository without a need to create a new Actions workflow in each repo. In this way an organization can install the app once and get its benefits everywhere.