[Enhancement]: Option to disable PR comments when no vulnerabilities are found #295
Description
Contact Details
What problem does this solve?
When the Checkmarx GitHub Action runs on a pull request and finds no new vulnerabilities, it still posts a PR comment (e.g. “Great job! No new security vulnerabilities introduced”).
For teams running the scan on every pull request, this creates noise:
- PR discussions get cluttered with non-actionable comments
- Important human comments are pushed off screen
- The information is redundant with the GitHub check status
- Unnecessary email notifications may be triggered
When vulnerabilities are found, the action already fails and surfaces details via checks, which is sufficient and effective.
Proposed Solution
Add a configuration option to control PR comments, for example:
- a boolean flag like
comment_on_success: false, or - a more flexible option such as
pr_comment_mode: always | on-failure | never
This would allow teams to keep strict security enforcement while avoiding PR noise when scans are clean.
Importance Level
Important
Additional Information
The only current workaround is removing pull-requests: write permissions from the workflow, which prevents comments entirely but is coarse-grained and not ideal.
Reducing unnecessary PR comments would improve developer experience and align with common CI behavior: quiet when everything is OK, loud when action is required.