Open SebastianSchuetze opened 10 months ago
felickz
commented
8 months ago Expanded support for SARIF is on the roadmap: https://learn.microsoft.com/en-us/azure/devops/release-notes/features-timeline#github-advanced-security-for-azure-devops . This will at least cover the ingestion side, but also noted on the feedback around the export/output of the generated SARIF.
SebastianSchuetze
commented
8 months ago Thanks! I know that I can give a debug parameter with the scanning task This will trigger a function that exports the sarif file into the tmp folder on the agent. I bet that this file is also generated in non debug mode. The question is just: where?
NenoLoje
commented
1 week ago @SebastianSchuetze Here's the work around I use currently to get the .SARIF file:
From azure-pipelines.yml:
# Publish the SARIF file as a pipeline artifact
- task: PublishPipelineArtifact@1
inputs:
targetPath: '/home/vsts/work/_temp/advancedsecurity.codeql/out/'
artifact: 'CodeScanningResults'
publishLocation: 'pipeline'
displayName: 'Publish artifact: CodeScanningResults'
Thanks for the nice example scripts. It would be nice if you could provide an example on how we could properly get the sarif result file that is committed to the API and commit it to the pipeline artifacts.
I can imagine that this is also an important part to support.