Results only from default

[bard-hobson]

Running the results in an action workflow still only bring back the current default vulnerabilities. I have a test scan that has 44 vuls in the PR prior to the first merge. The resulting report shows 0 vulnerabilities.

I think its due to the following line below as it just runs the API. I cannot find where it actually uses the uploaded Sarif files to build the report.

type listCodeScanningAlertsParameters = Endpoints['GET /repos/{owner}/{repo}/code-scanning/alerts']['parameters']

Not sure if I am missing the connection in the code though.

[peter-murray]

You would need to look at the REST endpoint for this; https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-a-repository there is a ref parameter that can be passed in where you can target another branch or a PR merge result.

Codescanning results would need to be priorly registered and if you are uploading in the same Actions workflow, the REST endpoint might not be slowing the latest data as the SARIF report might still be being processed. Just something to keep in mind.

[bard-hobson]

Thanks Peter for the reply. For understanding then the action in the marketplace tied to this code is used more for generating a report based on the default branch alone. It doesn't have the ability to do put in a ref variable and do it by PR or branch and would be better to look at the above REST API code?