fix: update prisma scan to remove blocking on compliance

[artyom-morozov]

What is the purpose of this change?

Remove deprecated WhiteSource security scanning integration and enhance Prisma Cloud vulnerability scanning with configurable grace periods and compliance blocking controls to provide more flexible security policy enforcement in the CI/CD pipeline.

How is this accomplished?

• Remove WhiteSource Integration: Delete all WhiteSource-related workflow inputs (whitesource_product_name, whitesource_project_name), secrets (WHITESOURCE_API_KEY), and two complete job steps (Run WhiteSource Policy Gate and Run WhiteSource Vulnerability Gate) from the GitHub Actions workflow
• Add Grace Period for Vulnerabilities: Introduce vulnerability_grace_period_days input (default: 7 days) that filters vulnerabilities by their publishedDate timestamp, only blocking on vulnerabilities older than the grace period
• Add Compliance Blocking Toggle: Introduce block_on_compliance input (default: false) to make compliance issue blocking opt-in rather than mandatory, separating compliance checks from vulnerability checks
• Enhance Vulnerability Filtering Logic: Implement sophisticated jq-based filtering that calculates BLOCKING_VULN_CRITICAL and BLOCKING_VULN_HIGH by comparing vulnerability publish dates against the grace period threshold, while tracking grace-period vulnerabilities separately for informational reporting
• Improve Reporting Granularity: Update scan result summary to display blocking vs. grace-period vulnerability counts separately and show whether compliance blocking is enabled, providing clearer visibility into what will actually block releases

Anything reviewers should focus on/be aware of?

• Breaking Change: Removal of WhiteSource integration will break any workflows currently using whitesource_product_name or whitesource_project_name inputs - dependent repositories must migrate to Prisma-only scanning
• Date Parsing Logic: The jq expression handling publishedDate includes fallback logic for both numeric timestamps and ISO date strings (split("T")[0] | strptime("%Y-%m-%d") | mktime) - verify this handles all Prisma Cloud date formats correctly
• Default Behavior Change: Compliance issues no longer block releases by default (block_on_compliance defaults to false), which may reduce security enforcement unless teams explicitly opt in
• Grace Period Calculation: The grace period comparison uses seconds (GRACE_PERIOD_DAYS * 86400) and relies on vulnerability publishedDate accuracy - vulnerabilities without valid dates fall back to total counts, potentially bypassing grace period logic

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how}

[gitstream-cm]

✨ PR Review

The PR introduces grace period functionality for vulnerabilities and makes compliance blocking optional. The changes are generally well-structured, but there are concerns about error handling transparency and a significant security behavior change.

2 issues detected:

🧹 Maintainability - Error suppression makes it impossible to distinguish between successful parsing and various failure modes

Details: The vulnerability counting logic suppresses all jq errors with 2>/dev/null and falls back to counting all vulnerabilities when parsing fails. This hides JSON format issues, date parsing failures, and API response changes, making debugging difficult. Any jq failure (malformed JSON, unexpected date format, missing fields) is silently handled by blocking all vulnerabilities, which could mask underlying issues.
File: prisma-cloud-scan/action.yml

🔒 Security - Default value weakens security posture by silently disabling compliance blocking 🛠️

Details: The new block_on_compliance input defaults to "false", changing from previous behavior where critical/high compliance issues always blocked releases. Without explicit configuration, compliance issues will now be ignored, potentially allowing insecure releases. This is a significant security policy change that users may not notice when upgrading.
File: prisma-cloud-scan/action.yml (32-32)
_{🛠️ A suggested code correction is included in the review comments.}

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}

[gitstream-cm]

🔒 Security - Behavior Change: Consider changing the default to "true" to maintain backward compatibility and security-first approach, or explicitly document this breaking change in the PR description and migration guide.

Suggested change

	default: "false"
	default: "true"

Is this review accurate? Use 👍 or 👎 to rate it

If you want to tell us more, use /gs feedback e.g. /gs feedback this review doesn't make sense, I disagree, and it keeps repeating over and over

[gitstream-cm]

Please mark whether you used Copilot to assist coding in this PR

• Copilot Assisted