Generate scan results as a SARIF file

[arkq]

This PR is based on PR #61

This PR is a proof-of-concept for generating SARIF report file and uploading it to Github Advanced Security (GHAS).

It seems that it works, ~but there is one issue: https://github.com/psastras/sarif-rs/issues/271~

[ludeeus]

While this is cool, I do not think this should be added here. This would be better as a standalone action.

[arkq]

While this is cool, I do not think this should be added here.

OK, I kinda agree with you, that's why it is only a PoC. Ideal solution would be to extend shellcheck itself, so it could output SARIF format. However, my haskell skill is ~zero, so I was not able to create such PR for shellcheck :D So, I've search for shellcheck action with the least number of issues and with some extension possibilities - this repo :)

This would be better as a standalone action.

With that I disagree. If shellcheck would support SARIF internally, this repo would support it as well, so there is no need to create new dedicated action. Dedicated action might be created but in more integrated way - e.g. no need to upload SARIF file manually (like with CodeQL). But that also can be done with this action (this repo) by adding some input options related with GitHub Code Scanning.

Anyway, I could create such dedicated action, but the problem is that currently I've got too many repos which I maintain... :/

[jamacku]

@Arkq You don't have to invest time into creating your own GitHub action. differential-shellcheck action natively reports results in SARIF format.

[ludeeus]

Until this is supported by shellcheck, I will not accept this.

Thanks anyway 👍

[arkq]

Until this is supported by shellcheck, I will not accept this.

That's OK with me. This PR was only a PoC.

So I guess I will have to learn haskell :D The differential-shellcheck alternative might be OK for someone, but I think that your approach (support push checks and scan everything) is better for my use case.