Closed candrews closed 1 year ago
@michaelcfanning, With this change, the resulting SARIF results in GitHub seem to look good. I uploaded ValidResults.sarif to see what it looks like: https://github.com/candrews/sarif-test/security/code-scanning
Update release notes? Otherwise looks good.
Update release notes? Otherwise looks good.
Updated the release notes
Alright! You ready for me to burn a release for you?
Alright! You ready for me to burn a release for you?
I am! :-D
GitHub recommends that precision be set. Other tools, such as Trivy, set precision="very-high" when there's no available data to determine otherwise, so that's what's done here too.
tags must include "security" for GitHub to process the security-severity and consider the results to be a security finding.
See: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object