Skip to content

PR Comments

The pr-comment command posts or updates one SecureObs status comment on a pull request. Comments are created by your CI runner using your CI platform token. SecureObs servers do not write to your repositories.

PR comments are tier-gated. Free-tier runs skip the comment step with a warning.

GitHub Actions

GitHub PR comment
docker run --rm \
  -e SECUREOBS_API_KEY="$SECUREOBS_API_KEY" \
  -e GH_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
  -e GITHUB_REPOSITORY="$GITHUB_REPOSITORY" \
  -e GITHUB_EVENT_NAME="$GITHUB_EVENT_NAME" \
  -e GITHUB_REF="$GITHUB_REF" \
  secureobs/scanner:v1 \
  pr-comment \
  --project-id "$SECUREOBS_PROJECT_ID" \
  --tenant-id "$SECUREOBS_TENANT_ID" \
  --pipeline-run-id "$GITHUB_RUN_ID" \
  --platform github

Azure DevOps

Azure DevOps requires "Allow scripts to access the OAuth token" and the build service identity needs permission to contribute to pull requests.

Azure DevOps PR comment
docker run --rm \
  -e SECUREOBS_API_KEY \
  -e SYSTEM_ACCESSTOKEN \
  -e SYSTEM_PULLREQUEST_PULLREQUESTID \
  -e BUILD_REPOSITORY_ID \
  -e SYSTEM_TEAMPROJECT \
  -e SYSTEM_TEAMFOUNDATIONCOLLECTIONURI \
  secureobs/scanner:v1 \
  pr-comment \
  --project-id "$SECUREOBS_PROJECT_ID" \
  --tenant-id "$SECUREOBS_TENANT_ID" \
  --pipeline-run-id "$BUILD_BUILDID" \
  --platform azuredevops

Behavior

  • One marker-identified comment per PR.
  • Later runs update the existing comment in place.
  • Missing PR context causes the command to skip rather than create noise.