Create blogpost about OpenScanHub prototype

Related to packit#899

posts/openscanhub-prototype/index.md

@@ -0,0 +1,70 @@
+---
+title: "SAST using OpenScanHub is here!"
+date: 2024-07-30T08:46:18+02:00
+authors: lbarczio
+tags:
+  - copr
+  - srpm
+  - sast
+  - openscanhub
+---
+
+We are excited to announce a new experimental feature in our service: the integration of Static
+Application Security Testing (SAST) using [OpenScanHub](https://openscanhub.fedoraproject.org/).
+
+OpenScanHub is a service that runs various static analyzers on RPM packages - by default `Cppcheck`,
+`ShellCheck`, the static analyzers embedded in `GCC` and `Clang`, and the `find-unicode-control` tool.
+
+Let's have a look at the functionality we are bringing with this!
+
+<!--truncate-->
+
+## Functionality
+
+This functionality is designed to enhance software security and reliability by automatically
+scanning for vulnerabilities and issues in code submitted through pull requests.
+It is controlled using the configuration option
+[`osh_diff_scan_after_copr_build`](/docs/configuration#osh_diff_scan_after_copr_build),
+which is currently set to `true` by default.
+However, even with this option enabled, the differential scanning feature in OpenScanHub
+will only run for users who have also configured Copr builds with the `trigger: commit`
+setting and have matching target branches in their pull request and job configurations.
+This setup is crucial as it allows Packit to access the base build necessary for differential
+scanning, leading to more precise detection of issues introduced by the pull request.
+
+To utilise this feature, you must ensure that Copr builds for commits are configured,
+along with Copr builds for pull requests, both set to run for `fedora-rawhide-x86_64`.
+If you haven't enabled Copr builds for commits yet, you can add the following job
+configuration to the `jobs` section in your Packit configuration:
+
+```yaml
+- job: copr_build
+  trigger: commit
+  branch: main
+  targets:
+    - fedora-rawhide
+```
+
+This configuration assumes that pull requests are typically merged into the `main` branch.
+It can be further tweaked to preserve the Copr project (and not create a temporary one,
+see more details [here](https://packit.dev/docs/configuration/upstream/copr_build#optional-parameters))
+or use a custom Copr project in your Copr namespace (more details
+[here](https://packit.dev/docs/configuration/upstream/copr_build#using-a-custom-copr-project)).
+
+Here is an example of a scan showing some new findings:
+
+![Example findings](openscanhub-findings.png)
+
+:::tip
+
+Besides this newly introduced integration with Packit Service, you can also submit scans locally using Packit CLI,
+see more details in [docs](/docs/cli/scan-in-osh).
+
+:::
+
+## Conclusion
+
+As this is an initial prototype, the configuration and functionality may evolve based on user feedback
+(e.g. reporting the actual results of a scan).
+We invite you to try out this feature and [share your thoughts](/#contact) with us.
+For more information on setting up this feature, see the info above.