[REQ] Overwriting Pull Request Comment when scan launched in different jobs

[alex46300]

Is your request related to a workflow problem?

Because SAST scan is more quicker than SCA scan, I run these scans in parallel in two different jobs in github-actions:

• the first one in sync mode for SAST
• the second one in async mode for SCA
  The problem with running the scans in two different jobs is that when the first scan is completed a comment is inserted into the PR. Then, when the second scan is completed, a comment is inserted into the PR but overwrites the previous comment.

Propose a solution

One Github PR comment with the first scanner result (SAST) and another Github PR comment with the second scannner result (SCA)

Additional comments

Github workflow extract:

jobs:
  sast-iac:
    runs-on: [self-hosted, Linux, standard]
    name: Checkmarx SAST
    steps:
      # clone the repository
      - name: checkout
        uses: actions/checkout@v3
        with:
          submodules: true

      - name: Checkmarx SAST and KICS (sync mode)
        continue-on-error: false
        id: checkmarx-improved-sync
        uses: Checkmarx/[email protected]
        with:
          project_name: ${{ env.CX_PROJECT_NAME }}
          branch: ${{ steps.branch-name.outputs.branch-name }}
          cx_tenant: ****
          base_uri: https://eu.ast.checkmarx.net
          cx_client_id: ${{ env.client-id }}
          cx_client_secret: ${{ env.client-secret }} 
          additional_params: >-
            --scan-types "SAST,KICS"
            --sast-incremental
            --report-format summaryJSON
            --sast-preset-name "${{ inputs.cx-preset }}"
            --tags commit_id:${{ github.sha }},event_name:${{ github.event_name }}
            --file-filter "${{ inputs.cx-file-filter }}"
            --project-groups "${{ inputs.cx-project-groups }}"
            --project-tags "${{ inputs.cx-project-tags }}"
            --threshold "${{ inputs.cx-threshold }}"
            --scan-timeout "${{ inputs.cx-timeout-minutes }}"
  sca:
    runs-on: [self-hosted, Linux, standard]
    name: Checkmarx SCA
    steps:
      # clone the repository
      - name: checkout
        uses: actions/checkout@v3
        with:
          submodules: true

      - name: Checkmarx SCA (async mode)
        if: ${{ contains(inputs.cx-scan-types, 'sca') }}
        continue-on-error: false
        id: checkmarx-improved-async
        uses: Checkmarx/[email protected]
        with:
          project_name: ${{ env.CX_PROJECT_NAME }}
          branch: ${{ steps.branch-name.outputs.branch-name }}
          cx_tenant: ****
          base_uri: https://eu.ast.checkmarx.net
          cx_client_id: ${{ env.client-id }}
          cx_client_secret: ${{ env.client-secret }} # pragma: allowlist secret
          additional_params: >-
            --scan-types SCA
            --sast-incremental
            --report-format summaryJSON
            --sast-preset-name "${{ inputs.cx-preset }}"
            --tags commit_id:${{ github.sha }},event_name:${{ github.event_name }}
            --file-filter "${{ inputs.cx-file-filter }}"
            --project-groups "${{ inputs.cx-project-groups }}"
            --project-tags "${{ inputs.cx-project-tags }}"
            --threshold "${{ inputs.cx-threshold }}"
            --scan-timeout "${{ inputs.cx-timeout-minutes }}"
            --async