security: Include branch name in security scan Slack alerts and fail only on high vulnerabilities

[harsh-vador]

Description

This PR updates the security scan workflow notifications and adjusts the Retire.js vulnerability threshold.

Changes

• Added the GitHub branch name to Slack success/failure messages using ${{ github.ref_name }}.
• Updated the Retire.js scan threshold from medium to high.
• Medium vulnerabilities no longer fail the vulnerability scan.
• High and Critical vulnerabilities continue to fail the scan.

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

High-level design:

N/A — small change.

Tests:

Use cases covered

Unit tests

Backend integration tests

Ingestion integration tests

Playwright (UI) tests

Manual testing performed

UI screen recording / screenshots:

Not applicable.

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• My PR is linked to a GitHub issue via Fixes #<issue-number> above.
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.
• For UI changes: I attached a screen recording and/or screenshots above.
• I have added tests (unit / integration / Playwright as applicable) and listed them above.

---

Summary by Gitar

• Updated security workflow:
  • Adjusted Retire.js threshold from medium to high severity.
  • Included ${{ github.ref_name }} in Slack success/failure notifications.
• Refined Makefile:
  • Corrected trailing whitespace and formatting in UI-related checkstyle targets.

_{This will update automatically on new commits.}

[github-actions]

🟡 Playwright Results — all passed (9 flaky)

✅ 4019 passed · ❌ 0 failed · 🟡 9 flaky · ⏭️ 86 skipped

Shard	Passed	Failed	Flaky	Skipped
✅ Shard 1	299	0	0	4
🟡 Shard 2	751	0	4	8
🟡 Shard 3	757	0	2	7
✅ Shard 4	790	0	0	18
🟡 Shard 5	686	0	1	41
🟡 Shard 6	736	0	2	8

🟡 9 flaky test(s) (passed on retry)

• Features/ActivityAPI.spec.ts › Activity event shows the actor who made the change (shard 2, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/DataQuality/BundleSuiteBulkOperations.spec.ts › Add test case to existing Bundle Suite (shard 2, 1 retry)
• Features/Glossary/GlossaryWorkflow.spec.ts › should start term as Draft when glossary has reviewers (shard 2, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Flow/ObservabilityAlerts.spec.ts › Alert operations for a user with and without permissions (shard 3, 2 retries)
• Pages/EntityDataSteward.spec.ts › Tier Add, Update and Remove (shard 5, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Login.spec.ts › Refresh should work (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[gitar-bot]

Code Review ✅ Approved 2 resolved / 2 findings

Enhances security scan reporting by adding branch context to Slack alerts and generating an aggregated CSV findings summary. Refines data processing with improved error handling and deduplication logic to ensure robust report generation.

✅ 2 resolved

✅ Edge Case: Unhandled JSON parse error aborts entire CSV generation

📄 scripts/snyk_one_line_findings.py:227-228 📄 scripts/snyk_one_line_findings.py:248-251
In report_rows, if any single JSON file is malformed or empty, json.load will raise a JSONDecodeError that propagates up through generate_csv, preventing the CSV from being generated at all — even if other JSON files are perfectly valid. In a CI environment where multiple Snyk reports are produced, one corrupted file should not block the summary of all others.

✅ Performance: normalize() evaluates each list item twice

📄 scripts/snyk_one_line_findings.py:47
The list branch in normalize calls normalize(item) twice per element — once in the filter predicate and once in the generator expression body. For large vulnerability lists with nested structures, this doubles the work unnecessarily.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud