PR Decoration and PR Scans

PR Decoration

Using the Kondukto CLI, it is possible to view scan results within PRs.

A sample command needed for this operation is;

./kdt scan -p test -b feature -t gosec --pr-number 24

This command starts a gosec scan on the feature branch and then pushes the results of the scan to the PR and also presents the number of open (new+recurrent) vulnerabilities on the same branch of the project.

The following command filters the number of open vulnerabilities in the project by the selected scanner types. In this example, the total number of open SAST and SCA vulnerabilities are displayed.

./kdt scan -p test -b feature -t gosec --pr-number 24 --pr-decoration-scanner-types sast,sca

PR Scans

When the PR scan functionality is used, Kondukto locally merges the target and source branches and then runs a scan on the combined source code created by GIT.

This functionality can be used when triage operations on the source or the target branch need to be carried over to the target or source branch. This way, Kondukto allows focusing on new vulnerabilities that have been recently created without being distracted by previous vulnerabilities that have been triaged on the target branch.

📘

For this functionality to work properly, the branch provided with --merge-target flag (main in the example below) should have been scanned at least once via UI or CLI.

Start a PR Scan Without PR Decoration

When the following command is run, Kondukto will carry over any triage activity that has taken place on the main branch to the feature branch. This means that vulnerabilities previously discovered on the main branch will be shown as recurrent rather than new or those that have been suppressed will still be suppressed on the feature branch.
This allows the user to easily focus on new vulnerabilities on the feature branch.

./kdt scan -p test -b feature -t gosec --merge-target main

Start a PR Scan With PR Decoration

The following command can be used to push results of the scan performed on the combined source code to the PR number 24 as a PR decoration.

./kdt scan -p test -b feature -t gosec --merge-target main --pr-number 24