Summary
The current PR security scan comment lists findings across multiple scan stages (filesystem vulnerabilities, Docker image vulnerabilities, misconfigurations, secrets, licenses, pre-release checks) but doesn't clearly indicate:
- Whether the PR is mergeable — a top-level verdict (✅ Mergeable / 🚫 Blocked) at the beginning of the comment
- Which specific stages are blocking — when findings cause a pipeline failure, developers have to cross-reference the scan tables with the job exit codes to figure out what's actually preventing the merge
Proposed Changes
1. Top-level merge verdict
Add a prominent summary section at the top of the PR comment:
## 🚫 PR Blocked — 1 blocking finding
| Stage | Status | Blocking? |
|-------|--------|-----------|
| Filesystem Scan | ✅ Clean | No |
| Docker Image Scan | ⚠️ 1 vulnerability | 🔴 Yes |
| Misconfigurations | ⚠️ 2 findings | No (advisory) |
| Secret Scan | ✅ Clean | No |
| License Scan | ✅ Clean | No |
| Pre-release Check | ✅ Clean | No |
2. Visual distinction for blocking vs advisory findings
Use more eye-catching emojis and formatting to differentiate:
- 🔴 / 🚫 for blocking findings (ones that cause
exit-code: 1)
- 🟡 / ⚠️ for advisory findings (informational, non-blocking)
- ✅ for clean stages
Context
Currently, when the pipeline fails due to a security finding, developers see findings from multiple scan stages (e.g., DS-0001 misconfigs alongside GHSA CVEs) and can't easily tell which one is actually blocking the merge. This caused confusion today where a team spent time investigating Dockerfile misconfigurations (DS-0001, DS-0026) that turned out to be advisory-only, while the actual blocker was a CVE in the Docker image scan (GHSA-j88v-2chj-qfwx / pgx).
A clear merge-readiness summary would eliminate this ambiguity.
Requested by: @gandalf-at-lerian
Summary
The current PR security scan comment lists findings across multiple scan stages (filesystem vulnerabilities, Docker image vulnerabilities, misconfigurations, secrets, licenses, pre-release checks) but doesn't clearly indicate:
Proposed Changes
1. Top-level merge verdict
Add a prominent summary section at the top of the PR comment:
2. Visual distinction for blocking vs advisory findings
Use more eye-catching emojis and formatting to differentiate:
exit-code: 1)Context
Currently, when the pipeline fails due to a security finding, developers see findings from multiple scan stages (e.g., DS-0001 misconfigs alongside GHSA CVEs) and can't easily tell which one is actually blocking the merge. This caused confusion today where a team spent time investigating Dockerfile misconfigurations (DS-0001, DS-0026) that turned out to be advisory-only, while the actual blocker was a CVE in the Docker image scan (GHSA-j88v-2chj-qfwx / pgx).
A clear merge-readiness summary would eliminate this ambiguity.
Requested by: @gandalf-at-lerian