Should AppSweep Github Action and/or Gradle plugin block until the Security analysis is complete?

Hi everyone

I’m currently using AppSweep in one of my open-source projects, pretty much to compare it with some other solutions in the field (like Oversecured and NowSecure)

I’m currently driving the integration using the Github Action, since it fits naturally in my CI/CD pipeline.

I’ve been questioning if such Security analysis should follow a blocking behavior, ie, waiting until the analysis to finished before exiting at pipeline level and eventually breaking the CI/CD pipeline according conditions defined by AppSweep and/or by the user (eg, don’t fail pipelines unless the Security issue is Severe/Critical, etc).

I know that such analysis can take a lot of time sometimes, but for some scenarios this is quite doable and even desirable; for instance, I could have such Security checks running on my nightly builds, so Engineers won’t be blocked by AppSweep while developing new stuff (eg, waiting for PR checks).

Do you folks have any plans to provide such behavior for this Github Action and also for the Gradle plugin?

Thanks in advance!

Hi @ubiratan.soares

We have definitely seen scenarios where teams wish to break the build after their security analysis, the decision whether to configure such a behavior usually comes down to speed of analysis and the relevance of the findings.

Currently, AppSweep operates more in the background, our GitHub action initializes the scan, but does not wait for the findings, nor does it interpret the findings. We do have some API improvements planned in the next quarter where we are looking to make findings accessible, which will enable this kind of scenario.

In the meantime, our GitHub app does link your analysis to the pull request, so you could have your review process come after the scan completes, so you could at least manually verify the results as part of a review.

Hope that helps, we’ll keep you posted on the future API improvements that might support this use case.