Pull Request Commenting

NEW IN RELEASE 88

Overview

Nexus IQ for SCM adds a comment to a GitHub pull request (PR) for repositories configured for source control when the PR introduces a new policy violation. 

This is accomplished by comparing the policy evaluation report of the pull request's source branch with the latest available policy evaluation report for the souce control configured default branch.

Prerequisites

The following criteria are prerequisites for GitHub PR commenting:

  1. The selected repository is configured for source control, as described in Nexus IQ for SCM
  2. Nexus IQ policy evaluations are being run against the source control configured default branch commits. We recommend this configuration for the CI system.
  3. Nexus IQ policy evaluations are being run against the feature/development branch commits that the PR pertains to.
  4. Automated pull request commenting will only work on repositories that cannot be accessed publicly. On github.com this means that the repository will need to be private. On GitHub Enterprise all repositories will work.

PR Comment

The PR comment contains the summary of violations, affected components, and description of the violations that were introduced in the PR.  See below for an example:

Important note:  The target branch of the PR is NOT used as the basis for detecting new policy violations. The basis used for comparison is the Nexus IQ for SCM configured default branch.

PR comments are generated when:

  • Policy violation reports are run against new commits for an open PR and violations have been detected
  • Newly detected PRs satisfy the prerequisites for PR commenting

The PR comment is designed to appear on the PR within a few moments after either of these conditions are satisfied.

Nexus IQ for SCM will update existing PR comments with the latest available information if the feature branch scan report is reevaluated, or if a new policy evaluation is run against the head commit for the PR.

The pull request (PR) comment only reports violations introduced by the specific PR. These violations are determined by comparing the policy evaluation report of the PR's source branch with the latest available policy evaluation report for the Nexus IQ for SCM configured default branch. Note that the Summary and Scan Report shown in status check includes all violations present in the latest policy evaluation for a given commit.

Running Policy Evaluations on Different Branches

We recommend that evaluations against the master branch use the ‘build' stage in Nexus IQ, and that feature branch evaluations are performed against the ‘develop’ stage. Because feature branches are volatile and vary across the features developed, using the ‘develop’ stage helps reduce noise by not showing these evaluations on the dashboard or your reports. 

Enabling policy evaluations on feature branches will also increase the amount of disk space consumed by stored application composition reports. Nexus IQ Server can be configured to automatically purge outdated reports, more information on this is available on the Data Retention and Purging page.

Please review the actions in the Nexus IQ Server policy configuration if the feature branch policy evaluation is configured to use the 'develop' stage. By default, using the 'develop' stage will not result in a 'fail' action for any of the defined policies. Status checks, and the associated branch protection only reports failure if the policy evaluation trigger a 'fail' action.