Open jasonloewen opened 2 months ago
Yes, the report gets uploaded in the run workflow and out of the box it is not uploaded to GH Security Advisory but it is available as an output of analyze-code-security-scc
step and can be consumed by any subsequent step.
Tenant : The GitHub action is mainly responsible for generating the SARIF file and making it available for consumption by subsequent steps. The action is closely inline with SRP and hence, any additional functionality is delivered through existing ecosystem of GitHub Actions.
That being said, currently the documentation illustrates an example where we use gitHub provided action : actions/upload-artifact
(https://github.com/actions/upload-artifact) to upload report to workflow run workspace.
But, users can definitely experiment with other available actions like : github/codeql-action/upload-sarif
(https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) to upload SARIF generated by analyze-code-security-scc
to GitHub repository and benefit from code scanning alerts.
AI on us : Enhance documentation to illustrate integration of github/codeql-action/upload-sarif
to upload SARIF report to repository.
We did try the upload-sarif
action before I posted this question, but got what looks like schema related errors. It doesn't like "informationUri": ""
. Can you confirm that Sarif 2.1.0 schema is being used to generate the report?
Here is the response from the workload:
{
"path": [
"runs",
0,
"tool",
"driver",
"informationUri"
],
"property": "instance.runs[0].tool.driver.informationUri",
"message": "does not conform to the \"uri\" format",
"schema": {
"description": "The absolute URI at which information about this version of the tool component can be found.",
"type": "string",
"format": "uri"
},
"instance": "",
"name": "format",
"argument": "uri",
"stack": "instance.runs[0].tool.driver.informationUri does not conform to the \"uri\" format"
}
Yes we are adhering to SARIF 2.1.0 guidelines "informationUri" is a valid property, but it seems like it can not be an empty URL. We will take an action item to fix the report structure and file a bug for now.
Filed a Bug : https://github.com/google-github-actions/analyze-code-security-scc/issues/35
We have addressed above gaps and fixed the bug. @jasonloewen can you please try again ?
The README states:
I was hoping that meant the violation report would get uploaded and imported to the GH Security Advisories, but I can only download the artifact from the link in the workflow. Is this the intended result?