I assume the results will not be public?

I assume the results will not be public?

Yes, for obvious reasons ;) if an issue is found, the CI job will tell the dev to reach out to the security team so we can check.

Does that mean that it will be visible to the public if something has been referred even if it we dont know what?

Yes

So for me thats a problem. If I create a PR to tweak some current code then the analysis will run. It detects an issue which might be in the current code as well as the change. Then there is public notification that there is a security issue in this code which might be in the current release. So now we have announced to the world that a security issue exists in this code block.

Or do I misunderstand you

So now we have announced to the world that a security issue exists in this code block.

The scanner always checks the complete codebase, not just the changed lines - so the feedback is only "there might be an issue somewhere in the global codebase".

Besides that the procedure for an issue in the current codebase (unrelated to the PR) would be that we mark the issue as "known" in the scanning tool, rerun the scan (which will then succeed) and we can give the PR-owner the feedback that this has been a false-positive and has been fixed. In the background the JSST can work on the acutal fix for the issue.

What's the status here?

@mbabker ready for merge from my side

ATM we are only doing this for staging and not for 4.0-dev?

yes, J4 will follow!