Report Hosting for Open Source Projects

[abhisek]

Background

We have vet-action that integrates vet with GitHub Action to provide easy CI integration with safe defaults and supports for custom policy, exceptions etc. vet-action is specifically designed to handle CI complexities such as identifying packages changed in a PR and vetting only those with the goal to prevent new risks from being introduced.

Problem

vet-action uses GitHub Actions workflow for scanning with vet. It is restricted within GitHub Action security model which restricts access to GitHub API using default GITHUB_TOKEN available in the CI environment when a PR is raised from a forked branch. This prevents vet-action from adding a PR issue (comment). When a failure occurs due to policy violation, users have to manually view the action log to identify the cause of failure. This leads to poor user experience especially for open source maintainers who uses vet-action.

While we can use pull_request_target to workaround this permission limitation, it introduces additional security risk for the project that we want to avoid.

Solution

We should provide a hosted report with policy violations for open source projects. For example, when vet-action detects a policy violation, it will create a snapshot of violation & package metadata that caused the violation and host it in a URL. This is similar to what we do with our Malware Analysis service example Malware Analysis Report

This will enable open source project maintainers to easily visualize the cause of CI failure even with vet-action without introducing security risks of using pull_request_target even trigger.

[abhisek]

We have a stop gap solution for generating JSON report using vet and then using https://vetpkg.dev/vr for visualization