Find and fix vulnerabilities in seconds using GitHub PR reviews with line comments

July 07, 2020 By Kevin Miller

3 minute read time

Pull request line comments highlight the exact line(s) of code that introduced a policy violation, giving developers all the information they need to remediate open source risks and innovate securely without sacrificing speed.

Developers need to know if code they commit introduces risks and why. The sooner they find potential policy violations or security vulnerabilities, the faster they can resolve issues, reducing time to remediation and minimizing manual re-work. This enables organizations to develop and innovate quickly with complete peace of mind.

Earlier we introduced GitHub PR commenting, notifying developers when a specific PR introduces policy violations. We've expanded on this feature with PR line commenting for even more granularity, highlighting the exact line(s) of code that introduced the vulnerabilities or violations, and if available, an easy way to fix them.

Once you're ready to merge a pull request, simply run a policy evaluation on the branch you are working on. We'll automatically leave comments on the PR for new vulnerabilities that were introduced and show you the line(s) of code that brought them in. We'll include an upgrade path or available remediation to resolve these issues and save you the hassle of additional research. How easy is that?

We've also added a summary comment for a consolidated view of all policy violations for a specific pull request. You can see all of the potential threats at a glance and quickly take the action to fix vulnerabilities or violations. You can also find out if any pre-existing violations were resolved as a result of your changes.

Want to take a deeper dive? Here is a quick video outlining our new PR line commenting in GitHub. See below for more details on both line and summary comments.

PR line comments

PR line comments contain the:

  • Name and severity of the affected component
  • Summary and the description of the violations that were introduced by the change
  • Specific line of code that brought in the violation
  • Action to take to fix the issue (if a path to remediation is available)

PR line commenting is supported for direct dependencies in Maven and npm projects.

See an example of a PR line comment below:

PR summary comment

The PR summary comment contains a roll up of all vulnerabilities and violations, affected components, and descriptions of each. The details are collapsed, making them easier to digest, but can be expanded to show more information as needed. Links to corresponding line comments are created to quickly jump to the relevant line so you can spot the violations easily.

See an example of a PR summary comment below:

github pr summary comment-1

At Sonatype we offer a myriad of tools and integrations to help developers find, investigate, and fix policy and security violations faster. By placing contextualized data and component intelligence earlier in the development process, we enable developers to make better decisions and easily select the highest quality open source software components.

Tags: github, vulnerabilities, open source goveranance, npm, component vulnerabilities, Maven, policy automation, featured, Product

Written by Kevin Miller

Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.