Open SebastianSchuetze opened 10 months ago
Expanded support for SARIF is on the roadmap: https://learn.microsoft.com/en-us/azure/devops/release-notes/features-timeline#github-advanced-security-for-azure-devops . This will at least cover the ingestion side, but also noted on the feedback around the export/output of the generated SARIF.
Thanks! I know that I can give a debug parameter with the scanning task This will trigger a function that exports the sarif file into the tmp folder on the agent. I bet that this file is also generated in non debug mode. The question is just: where?
@SebastianSchuetze Here's the work around I use currently to get the .SARIF file:
From azure-pipelines.yml
:
# Publish the SARIF file as a pipeline artifact
- task: PublishPipelineArtifact@1
inputs:
targetPath: '/home/vsts/work/_temp/advancedsecurity.codeql/out/'
artifact: 'CodeScanningResults'
publishLocation: 'pipeline'
displayName: 'Publish artifact: CodeScanningResults'
Thanks for the nice example scripts. It would be nice if you could provide an example on how we could properly get the sarif result file that is committed to the API and commit it to the pipeline artifacts.
I can imagine that this is also an important part to support.