Interactive command handling targeting the CxFlow user's name for PR workflow kickstarting

[nleach999]

Describe the problem

CxFlow is stateless so is subject to workflows not completing due to a variety of recoverable failure cases such as:

• Connection to CxFlow can't be made.
• CxFlow can't make a connection to the SCM
• CxFlow box/service is bounced mid-scan
• SAST scan fails
• CxFlow times out waiting for the SAST scan

This is not intended to be a comprehensive list but demonstrates where the CxFlow workflow could leave the PR in a state where a merge can't be completed. This can require someone with admin privileges to force a merge or for a developer to "touch" a file with a dummy commit to re-start a workflow. While these work, it is not ideal.

Proposed solution

Use PR comments to address the user account that is posting CxFlow comments and/or just use "@CXFlow" to address the CxFlow endpoint. These commands would kickstart workflows at a point of failure. Some example commands:

These are examples and not meant to be a comprehensive list of commands that might be needed.

@CXFlow open the pod bay doors

(or "@CXFlow ping" if no one is a Kubrick fan)
CxFlow posts a status comment "I'm afraid I can't do that Dave" to indicate it is alive and listening.

@CXFlow update

CxFlow comments one of the following:

• the latest status of a current running scan
• if no scan running fetches the last scan executed for the branch after the PR open date
• if no scan has ever run or has not run since the PR open date, start the scan, report the summary in the PR, set merge block flags, etc.

This particular one has many use-cases such as fetching triage state post-scan and updating the PR. Currently the only way to do this is to perform a dummy commit to get a PR update event to perform a full re-scan. Sometimes that full re-scan takes a lot of time just to get an updated triage state in the PR comment to un-block the merge.

@CXFlow rescan

CxFlow evaluates if there is a running scan and does one of the following:

• If there is a scan running for the PR, comment "There is a scan currently running. Please use the restart command to stop and re-start the current scan"
• If there is not a scan running, start a scan and post PR summary comment

Additional details

For SCMs like ADO that have comment statuses, comments should set the appropriate comment status.

e.g.:

@CXFlow open the pod bay doors

@CXFlow comments "I'm afraid I can't do that Dave" and the obvious comment status is Closed (pun totally intended)

CxFlow would probably need a configuration option to allow the timezone of the SAST server to be specified so that times can be matched properly (since SAST often reports times that are "local" with no TZ offset)

Some of these would require some state management given multiple CxFlow instances may be running as a cluster. Some of the workflow failures could technically be avoided if CxFlow were able to recover workflows in some cases (not all) just by being aware of the state of each event handling endpoint.