MCPcopy
hub / github.com/promptfoo/promptfoo / handleScanResponse

Function handleScanResponse

code-scan-action/src/main.ts:634–691  ·  view source on GitHub ↗
(
  scanResponse: ScanResponse,
  inputs: ActionInputs,
  context: PullRequestContext,
)

Source from the content-addressed store, hash-verified

632}
633
634async function handleScanResponse(
635 scanResponse: ScanResponse,
636 inputs: ActionInputs,
637 context: PullRequestContext,
638): Promise<void> {
639 const { comments, commentsPosted, review, skipReason } = scanResponse;
640 const hasSarifFindings = hasSarifReportableFindings(scanResponse);
641 const hasPrFindings = hasPrPostableFindings(comments);
642
643 // A skipped scan is not a clean scan. Do not upload empty SARIF results that could clear
644 // existing Code Scanning findings or imply that authorization-gated work ran. Mixed
645 // responses still need processing when a finding can be surfaced through SARIF or PR
646 // comments, because those output channels intentionally support different locations.
647 if (skipReason && !hasSarifFindings && !hasPrFindings) {
648 core.info(`🔀 Scan skipped: ${skipReason}`);
649 return;
650 }
651
652 if (skipReason) {
653 // Carry the skipReason into the warning: a contradictory response (skip + real
654 // findings) signals a server-side bug, and the reason text is the operator's only
655 // clue to which path produced it.
656 core.warning(
657 `Scan response included findings alongside a skipReason ("${skipReason}"); processing findings.`,
658 );
659 }
660
661 core.info(`📊 Found ${comments.length} comments${review ? ' and review summary' : ''}`);
662
663 // A mixed skip with only PR-postable findings must not upload an empty SARIF run.
664 if (!skipReason || hasSarifFindings) {
665 emitConfiguredSarifOutput(scanResponse, inputs);
666 }
667
668 if ((hasPrFindings || review) && commentsPosted === false) {
669 await postFallbackComments(
670 inputs.githubToken,
671 context,
672 comments,
673 review,
674 inputs.minimumSeverity,
675 );
676 return;
677 }
678
679 if (comments.length > 0 && commentsPosted === true) {
680 core.info('✅ Comments posted to PR by scan server');
681 return;
682 }
683
684 if (comments.length > 0) {
685 // commentsPosted is undefined - old server version
686 core.info('✅ Comments returned (server version does not indicate if posted)');
687 return;
688 }
689
690 core.info('✨ No vulnerabilities found!');
691}

Callers 1

runCodeScanFunction · 0.85

Calls 4

hasPrPostableFindingsFunction · 0.90
postFallbackCommentsFunction · 0.85

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…