Description
I have an action that I'd like to work on both pull requests and push events.
The SARIF is uploaded in both cases. When results of a pull request scan contain problems, it blocks the PR, which is great. The user is presented with a list of options: "Won't Fix", "false positive", "Unit tests". If they click "Won't Fix", the PR can be merged. However, the results never show up in the default branch's scanning results anymore. I think that's intended.
What I'd like is an additional option to the effect of "Will fix in another pull request" or "Won't fix in this pull request" to inform GitHub that it's fine to ignore the results to merge this PR, but that I intend to fix it later so I want the problem to show up on the default branch's scanning results. This is really important: imagine the problem has low criticality, I may want to allow merging the pull request and live with the vulnerability for a few days. If I cannot find the vulnerability on the dashboard, I will for-ever forget to fix it.
In addition: any results that are discarded ("Won't Fix", etc) are very hard to find in the UI. For example, as a security engineer, I may want to review all previous "Won''t Fix" in a branch. I can search for "is:closed" by branch, but I don't seem to be able to find those marked as "Won't Fix", etc. We all make mistakes, so giving the ability search through past choices is useful.