Specify branch for individual checks

[jan-verb]

Description

Currently, you can only specify what branch you want all of your checks to run on via the policy-branch input.

Propose Solution

It would be nice if you could specify different branches for different checks. For example, I'd like the Dependabot check to always run against main, so as to block merges to main until those Dependabot findings have been resolved, but I'd like the Secret Scanning alerts to run on my feature branch so as to ensure that no secrets are pushed up to it.

[GeekMasher]

This is a very interesting idea and might be something we can add to the v3 spec.

Would you say maybe something like this in the threat modelling block might work?

# ...
threatmodels:
  # ...
  advanced-security-high:
    uses: ./policies/high.yml
    branches:
      - main
      - dev
      - release/*
    repositories:
      - advanced-security/policy-as-code
      - advanced-security/codeql-queries

So you have to match on the repository and the branch for the policy to apply.

[jan-verb]

I may not be understanding you correctly, but I don't think so.

Per my solution above, something like this is what I had in mind:

dependabot:
  enabled: true
  branches:
    - main
    - master

secretscanning:
  enabled: true
  # not specifying `branches` defaults to all branches

[jan-verb]

Hi @GeekMasher, I just wanted to see if there's any update here, as I'll be continuing to work on GHAS at my company shortly, where this would be very helpful.