search

goodwithtech / dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
https://containers.goodwith.tech/
Apache License 2.0
2.8k stars 139 forks source link

Sarif upload failure to GitHub action upload-sarif@v2 #207

Closed ndoell closed 1 year ago

ndoell commented 2 years ago

When passing the sarif output from a local container scan to upload-sarif it fails to recognize the URI path provided by dockle.

Snippet of action.

      - name: Upload Dockle scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'dockle-image-results.sarif'
          category: 'image'

Action log snippet.

 Error: Code Scanning could not process the submitted SARIF file:
  SARIF URI scheme "docker" did not match the checkout URI scheme "file",
  Error: Code Scanning could not process the submitted SARIF file:
  SARIF URI scheme "docker" did not match the checkout URI scheme "file",

Snippet from dockle-image-results.sarif

"locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "docker://test-container"
                }
              }
            }
          ]

If "uri": "docker://test-container" changed too just "uri": "test-container" the results will upload. I'm going to assume "uri": "localhost://test-container" would pass as well.

tomoyamachi commented 1 year ago

@ndoell I've fixed it on v0.4.10.