Skip to content

feat: add commit SHA check to skip redundant scans#274

Merged
sgerlach merged 10 commits into
mainfrom
feat/commit-sha-check
Apr 2, 2026
Merged

feat: add commit SHA check to skip redundant scans#274
sgerlach merged 10 commits into
mainfrom
feat/commit-sha-check

Conversation

@sgerlach
Copy link
Copy Markdown
Contributor

@sgerlach sgerlach commented Apr 1, 2026
edited
Loading

Summary

  • Adds opt-in commitShaCheck input that looks up existing StackHawk scan results by commit SHA before running a new scan
  • When a matching scan is found, posts results as a PR comment and GitHub Step Summary, then passes/fails based on the scan's threshold status — skipping the CLI scan entirely
  • When no matching scan is found, falls through to run HawkScan normally
  • Automatically derives organizationId from the application lookup (GET /api/v1/app/{appId}) — no extra config needed
  • Gracefully degrades to normal scan on any API error

New Action Input

Input Required Default Description
commitShaCheck no false Enable SHA lookup against StackHawk platform before scanning

Example Usage

- uses: stackhawk/hawkscan-action@v2
  with:
    apiKey: ${{ secrets.HAWK_API_KEY }}
    commitShaCheck: 'true'
    configurationFiles: stackhawk.yml
    codeScanningAlerts: true
    githubToken: ${{ github.token }}

The configurationFiles is always required — the action parses applicationId from it for the SHA lookup. If no existing scan is found, the action falls through to a normal HawkScan run using the same config.

New Modules

  • src/config_parser.js — Parses applicationId from stackhawk.yml
  • src/scan_check.js — StackHawk API auth, app lookup for orgId, scan search by GIT_SHA tag
  • src/scan_summary.js — Markdown formatting for PR comment and Step Summary

Test plan

  • Verify npm run all passes (lint + build + test) — 36 tests across 4 suites
  • Test with commitShaCheck: false (default) — should behave identically to current action
  • Test with commitShaCheck: true and a commit that has an existing scan — should find scan, post summary, skip CLI run
  • Test with commitShaCheck: true and a commit with no existing scan — should fall through to normal scan
  • Test API auth failure graceful degradation — should warn and fall through to normal scan
  • Test app lookup failure graceful degradation — should warn and fall through to normal scan

sgerlach added 8 commits April 1, 2026 14:37
@sgerlach
chore: add js-yaml dependency for config parsing
54d9de2
@sgerlach
feat: add config parser to extract applicationId from stackhawk.yml
f1c17e0
@sgerlach
feat: add scan check module for SHA lookup via StackHawk API
e7c5e82 
Implements authenticate(), searchScanBySha(), and checkForExistingScan()
to look up existing scans by commit SHA before running a new scan.
@sgerlach
feat: add scan summary module for PR comment and Step Summary output
8447668 
Implements buildScanSummaryMarkdown, writeScanSummary, and postPrComment
for formatting scan results as markdown and posting to GitHub Step Summary
or PR comments when a previously completed scan is found by commit SHA.
@sgerlach
feat: add commitShaCheck and organizationId inputs
0dfc2e8 
Add two new action inputs to action.yml and gatherInputs() in src/utilities.js:
- commitShaCheck: triggers pre-scan SHA lookup on the StackHawk platform
- organizationId: required when commitShaCheck is enabled

Rebuild dist/ to include updated utilities.
@sgerlach
fix: update eslint config for ES2022 top-level await support
7f5cb55
@sgerlach
feat: wire up commit SHA pre-check in main action flow
3f873b5
@sgerlach
docs: add design spec and implementation plan for commit SHA check fe…
6c52e57 
…ature
@sgerlach sgerlach requested a review from a team as a code owner April 1, 2026 21:46
Bwvolleyball
Bwvolleyball reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Bwvolleyball Bwvolleyball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

organizationId as a required input

Do we need organizationId as a separate user-provided input? Since the action already has the apiKey and parses applicationId from stackhawk.yml, the org should be derivable — apps can only belong to one organization.

The auth response from /api/v1/auth/login likely contains the org ID, or we can look it up from the app. That would let us drop the organizationId input entirely and reduce setup friction for users.

@sgerlach sgerlach merged commit 096b544 into main Apr 2, 2026
13 checks passed
@sgerlach sgerlach deleted the feat/commit-sha-check branch April 2, 2026 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bwvolleyball Bwvolleyball Bwvolleyball approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sgerlach @Bwvolleyball