Skip to content

Auto-create GitHub issues on critical vulnerability findings #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
asiridalugoda merged 1 commit into from
Apr 1, 2026
+90 −0
Merged

Auto-create GitHub issues on critical vulnerability findings #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,96 @@ See [docs/config-schema.md](docs/config-schema.md) for the full schema reference

---

## GitHub Issue Integration

ReleaseGuard can automatically create a GitHub issue when critical vulnerabilities are detected during a scan. This gives your team immediate visibility into what blocked the release and actionable remediation steps — without leaving GitHub.

### How It Works

1. ReleaseGuard scans your release artifacts as part of CI
2. A critical (or configured severity) vulnerability is found
3. The release build **fails**
4. ReleaseGuard automatically creates a GitHub issue with:
- Full finding details (severity, category, file path, line number)
- Evidence snippets for each finding
- Recommended fixes and remediation guidance
- Category-specific playbooks (e.g. secret rotation steps)
- Whether the finding can be auto-fixed with `releaseguard fix`
5. Artifacts are dropped and CI reports failure

### Configuration

Add the `integrations.github_issues` section to your `.releaseguard.yml`:

```yaml
# .releaseguard.yml
version: 2
project:
name: my-app

policy:
fail_on:
- severity: critical

integrations:
github_issues:
enabled: true
severities:
- critical # Create issues for critical findings
- high # Optionally include high severity too
labels:
- security
- releaseguard
assignees:
- your-github-username
```

| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `enabled` | `bool` | Yes | Set to `true` to enable automatic issue creation |
| `severities` | `string[]` | Yes | Severity levels that trigger issue creation (e.g. `critical`, `high`, `medium`, `low`) |
| `labels` | `string[]` | No | Labels to apply to created issues |
| `assignees` | `string[]` | No | GitHub usernames to assign to created issues |

### Authentication

ReleaseGuard needs a GitHub token with `issues:write` permission on the target repository.

**In CI (GitHub Actions):**

```yaml
- uses: Helixar-AI/ReleaseGuard@<SHA>
with:
path: ./dist
env:
RELEASEGUARD_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASEGUARD_REPO: ${{ github.repository }}
```

The built-in `GITHUB_TOKEN` works for creating issues in the same repository. For cross-repo issue creation, use a personal access token or GitHub App token with the appropriate permissions.

**Locally:**

```bash
export RELEASEGUARD_GITHUB_TOKEN="ghp_..."
export RELEASEGUARD_REPO="owner/repo"
releaseguard check ./dist
```

### Disabling Issue Creation

Set `enabled: false` in your config, or simply omit the `integrations.github_issues` section entirely:

```yaml
integrations:
github_issues:
enabled: false
```

> **Future roadmap:** Issue creation will be extensible to other systems (Jira, Linear, etc.) via the `integrations` config block.

---

## Documentation

- [Architecture](docs/architecture.md)
Expand Down
Loading