search

google-github-actions / analyze-code-security-scc

A GitHub Action to analyze Terraform and IaC configurations in Security Command Center.
https://cloud.google.com/security-command-center
Apache License 2.0
2 stars 9 forks source link

Asking for clarification about SARIF report upload #29

Open jasonloewen opened 2 months ago

jasonloewen commented 2 months ago

The README states:

I was hoping that meant the violation report would get uploaded and imported to the GH Security Advisories, but I can only download the artifact from the link in the workflow. Is this the intended result?

sanyam803 commented 1 month ago

Yes, the report gets uploaded in the run workflow and out of the box it is not uploaded to GH Security Advisory but it is available as an output of analyze-code-security-scc step and can be consumed by any subsequent step.

Tenant : The GitHub action is mainly responsible for generating the SARIF file and making it available for consumption by subsequent steps. The action is closely inline with SRP and hence, any additional functionality is delivered through existing ecosystem of GitHub Actions.

That being said, currently the documentation illustrates an example where we use gitHub provided action : actions/upload-artifact(https://github.com/actions/upload-artifact) to upload report to workflow run workspace. But, users can definitely experiment with other available actions like : github/codeql-action/upload-sarif(https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) to upload SARIF generated by analyze-code-security-scc to GitHub repository and benefit from code scanning alerts.

AI on us : Enhance documentation to illustrate integration of github/codeql-action/upload-sarif to upload SARIF report to repository.

jasonloewen commented 1 month ago

We did try the upload-sarif action before I posted this question, but got what looks like schema related errors. It doesn't like "informationUri": "". Can you confirm that Sarif 2.1.0 schema is being used to generate the report?

Here is the response from the workload:

{
    "path": [
      "runs",
      0,
      "tool",
      "driver",
      "informationUri"
    ],
    "property": "instance.runs[0].tool.driver.informationUri",
    "message": "does not conform to the \"uri\" format",
    "schema": {
      "description": "The absolute URI at which information about this version of the tool component can be found.",
      "type": "string",
      "format": "uri"
    },
    "instance": "",
    "name": "format",
    "argument": "uri",
    "stack": "instance.runs[0].tool.driver.informationUri does not conform to the \"uri\" format"
  }
sanyam803 commented 1 month ago

Yes we are adhering to SARIF 2.1.0 guidelines "informationUri" is a valid property, but it seems like it can not be an empty URL. We will take an action item to fix the report structure and file a bug for now.

Filed a Bug : https://github.com/google-github-actions/analyze-code-security-scc/issues/35

sanyam803 commented 2 weeks ago

We have addressed above gaps and fixed the bug. @jasonloewen can you please try again ?