Understanding PR Comments

When a PR scan completes and findings are detected, Mayo ASPM posts a formatted comment on the pull request and reports a check run status. This guide explains how to interpret the bot's output.

---

What the Bot Posts

The PR Comment

The Mayo ASPM bot posts a single comment on the pull request containing:

1. A summary header with the total finding count and pass/fail status
2. A findings table listing each detected issue
3. A footer with scan metadata

Here is an example of what the comment looks like:

## Mayo ASPM Security Scan Results

**Status:** BLOCKED — 2 findings require attention before merge
**Scanner:** OpenGrep, Gitleaks | **Branch:** feature/add-auth | **Duration:** 47s

### Findings

| Severity | Rule | File | Line | Status |
|----------|------|------|------|--------|
| CRITICAL | hardcoded-jwt-secret | src/auth/config.ts | 23 | BLOCK |
| HIGH | sql-injection | src/api/users.ts | 87 | BLOCK |
| MEDIUM | missing-csrf-token | src/routes/settings.ts | 14 | ALERT |
| LOW | console-log-statement | src/utils/debug.ts | 5 | ALERT |

---
*Scanned by [Mayo ASPM](https://mayoaspm.com) at 2026-04-15 14:23:47 UTC*

Comment Structure

Summary Header

Field	Description
Status	PASSED (no blocking findings), BLOCKED (one or more blocking findings), or NO FINDINGS (scan clean)
Scanner	Which scanner(s) were used for the scan
Branch	The PR branch that was scanned
Duration	How long the scan took to complete

Findings Table

Each row in the findings table represents one detected issue:

Column	Description
Severity	The severity level: CRITICAL, HIGH, MEDIUM, or LOW
Rule	The scanner rule ID that triggered the finding (e.g., sql-injection, hardcoded-jwt-secret)
File	The file path where the finding was detected
Line	The line number in the file
Status	BLOCK if this finding blocks the PR, ALERT if informational only

Table Sorting

Findings in the table are sorted by severity (Critical first, Low last) and then by file path. Blocking findings appear at the top.

Footer

The footer includes a timestamp and a link to the Mayo ASPM platform where developers can view full finding details.

---

The Check Run

In addition to the comment, Mayo ASPM reports a check run on the pull request:

Pass (Green Check)

The check run passes when:

• The scan completes with zero findings at block severity levels
• Alert-level findings may exist, but none are blocking

✓ mayo-aspm-scanner / security-scan — All checks have passed

Fail (Red X)

The check run fails when:

• The scan detects one or more findings at block severity levels

✗ mayo-aspm-scanner / security-scan — 2 blocking findings detected

Pending (Yellow Circle)

The check run is pending while:

• The scan is queued or currently running

● mayo-aspm-scanner / security-scan — Scan in progress...

Branch Protection

When combined with GitHub branch protection rules that require the mayo-aspm-scanner / security-scan check to pass, a failed check run prevents the PR from being merged. This is how PR scanning acts as a merge gate.

---

Interpreting Findings

Severity Levels

Severity	What It Means	Action
CRITICAL	Exploitable vulnerability with severe impact (RCE, auth bypass, leaked production secrets)	Fix immediately before merging
HIGH	Significant vulnerability likely exploitable (SQL injection, XSS, high-severity CVEs)	Fix before merging — should not ship to production
MEDIUM	Moderate risk, may require specific conditions to exploit (CSRF, information disclosure)	Review and fix if practical, or accept risk with justification
LOW	Minor issue, best practice violation, or low-impact finding	Address when convenient, no urgency

Rule IDs

The Rule column shows the scanner's rule identifier. Common patterns:

Scanner	Rule ID Pattern	Example
OpenGrep	category-name	sql-injection, xss-reflected, path-traversal
Semgrep	registry.rule-name	python.django.security.injection.sql-injection
Trivy	CVE ID	CVE-2024-1234
Grype	CVE ID	CVE-2024-5678
Gitleaks	secret-type	aws-access-key, generic-api-key, private-key

File Paths and Line Numbers

The File and Line columns tell you exactly where the finding was detected. Click the file path in the comment to navigate directly to the relevant code in the PR diff on GitHub.

---

Idempotent Comment Updates

Mayo ASPM manages PR comments intelligently to avoid cluttering the conversation:

First Scan

When a PR is first scanned, the bot creates a new comment with the findings.

Subsequent Pushes

When new commits are pushed to the PR:

1. A new scan runs against the updated branch
2. The existing bot comment is updated in place with the new results
3. No duplicate comment is created

This means:

• Each PR has at most one Mayo ASPM comment, regardless of how many pushes occur
• The comment always reflects the most recent scan results
• Developers are not flooded with repeated comments

Comment Edit History

GitHub shows an "edited" indicator on updated comments. You can view the edit history to see how findings changed between pushes.

No Findings

If a rescan finds zero findings (e.g., the developer fixed all issues):

• The comment is updated to show a clean result
• The check run status changes from fail to pass

## Mayo ASPM Security Scan Results

**Status:** PASSED — No security findings detected
**Scanner:** OpenGrep, Gitleaks | **Branch:** feature/add-auth | **Duration:** 34s

No findings detected in this pull request.

---
*Scanned by [Mayo ASPM](https://mayoaspm.com) at 2026-04-15 15:12:03 UTC*

---

What Developers Should Do

When the Check Passes

No action required. The PR is clear of blocking security findings.

Review Alerts Anyway

Even when the check passes, review any alert-level findings in the comment. They may indicate real issues worth fixing even though they are not blocking.

When the Check Fails

1. Read the findings table in the PR comment
2. Identify BLOCK findings — these must be resolved
3. Navigate to the affected files using the file path and line number
4. Fix the issues in your code
5. Push the fix — a new scan will run automatically
6. Wait for the updated comment — verify BLOCK findings are resolved

Common Fix Patterns

Finding Type	Common Resolution
Hardcoded secret	Move to environment variable or secrets manager
SQL injection	Use parameterized queries or ORM methods
XSS	Apply output encoding/escaping
Vulnerable dependency	Upgrade to the patched version
Path traversal	Validate and sanitize file paths

---

Viewing Full Details

The PR comment provides a summary, but full finding details are available in Mayo ASPM:

1. Click the Mayo ASPM link in the comment footer
2. Navigate to the asset's Findings page
3. Filter by the scan that corresponds to the PR
4. Click any finding to see the full detail panel with:
   • Complete description
   • Code snippet with highlighted lines
   • CWE/CVE references
   • Remediation guidance
   • Rule documentation

---

Next Steps

• Configuring Alerts & Blocks — Adjust what gets reported and what blocks
• Bulk Management — Manage PR scanning across your organization
• Finding Details — Deep dive into individual findings