In our previous blog post, we introduced Bearer’s new GitHub App and highlighted its seamless onboarding process and on-demand scanning capabilities. Today, we focus on how this app can significantly enhance the developer experience within Pull Requests (PRs) while providing critical reporting capabilities to security teams.
Enhancing the Pull Request Developer Experience
As part of the GitHub App's workflow, we've gone the extra mile to provide valuable feedback for every Pull Request scan, making the developer experience more enriching and efficient.
Here's a breakdown of how we've improved the developer experience:
1. Summary of Scan Results: To facilitate quick reference, we display a summary of the scan as the initial comment in the PR.
2. Specific Inline Comments: For each identified issue, we create a specific inline comment that is packed with all the necessary context a developer might need to understand and address the issue effectively.
3. Easy Dismissal: Developers can now effortlessly dismiss findings by simply responding to the comment using the /bearer ignore [message] command. Try it in the interactive demo below!
What happens when a finding is dismissed within a PR? Bearer Cloud GitHub action processes this action swiftly, appending a 👍 to the comment, indicating that the issue has been accounted for. This action also triggers a re-scan, and the report summary at the beginning of the PR is updated accordingly. The dismissed finding is then collapsed, simplifying the management of the developer's workflow. If developers wish to reconsider their decision, they can easily restore the dismissed finding by replying with the /bearer unignore command.
These enhancements grant developers greater control over scan results and empower them to take action swiftly without disrupting their workflow. However, an important question arises: What if developers inadvertently or maliciously dismiss findings they shouldn't?
Workflow Reporting for Security
At Bearer, we value the relationship between developers and the security team, guided by the principle of 'trust, but verify.' In addition to empowering developers with the ability to dismiss findings, we have introduced an efficient reporting tool within Bearer Cloud. This tool is designed to support the security team, who are responsible for managing the ultimate status of ignored findings.
In the "Review" section of the Dashboard, all findings dismissed by developers in their PRs become accessible once these PRs are merged. This transparency empowers the security team to discern who dismissed a finding, when it was dismissed, and the rationale behind the decision. Armed with this information, the security team can either confirm the dismissal or reopen the issue for further investigation.
Conclusion
The Bearer GitHub App redefines the developer experience and elevates security oversight to new heights. From the effortless onboarding process to the precision of scanning individual code commits, our commitment to enhancing while securing the developer workflow is unwavering.
Request a demo today to experience first hand how our newly launched GitHub App can empower your developers, and provide invaluable reporting and oversight for your security team.