New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Action with different behavior depending on event trigger #810
Comments
|
I recommend looking at the documentation on "categories" in code scanning: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#runautomationdetails-object. A category is an additional metadata string that can be provided with an analysis, which helps distinguish analyses produced by the same tool on the same commit/ref but in different circumstances (e.g. different jobs in a matrix, different subsets of a repo or analysis, different target language). In SARIF 2.1.0, the category can be provided as part of the In the scenario you describe, I suggest being careful to ensure your (For reference, you may also wish to read these docs on using categories with the CodeQL Action, which may be useful information even though your use case is independent of the CodeQL tool.) I hope this helps -- please get in touch if you have further questions! |
|
Something that's not entirely clear is:
Thanks for you help! |
I think either of these approaches will work. Either multiple SARIF files each containing one run, or a single SARIF file containing multiple runs each with a different category. The important detail is that the different runs (whether in the same SARIF file or multiple SARIF files) must have different categories, otherwise they will overwrite each other when uploaded. Experiment with both and let us know if the behaviour is not what you expect. I find it easiest to think about one SARIF file per Actions job. If you're doing multiple analyses in a single job, one SARIF file with multiple runs may be convenient. If you're doing analyses in different jobs in an Actions workflow (e.g. a job matrix, which is nice for parallelism too), one SARIF file per job is convenient.
One category per |
|
Brilliant, that clarifies everything! |
|
follow-up question: If the analysis contains no findings, is it better to return an empty list of I want to be sure that if the reported vulnerability is fixed by developers, it's automatically removed from the scanning result dashboard. After several attempts, what I found promising (I need to test more) is to populate After several hours of debugging, I hit another problem: it seems there is a limit on the maximum number of I've attached 2 files so you can verify. Thanks Let me clarify how my tool works. I have 16 analysis, which we call I'm not sure which is the right one. Can you advise? |
|
follow-up: I think the right approach is to use one run per check, otherwise GitHub is unable to compare results of a push request vs main branch, since the analysis are different (category "pull-request" vs "push") So I'm stuck with the 15 upper limit, it seems. Can anyone help? |
If the analysis ran successfully and contains no findings, create a single
Checked with my colleagues that maintain the code scanning backend. You are correct that there is a limit of 15 runs per analysis.
Thank you for the context! With that in mind, I think my initial suggestion of one category per check is not going to work. Instead, your best bet is:
Can you give this a try and let us know if it serves your purpose? |
|
Thanks. So I tried something similar this morning and it seems to work, but I'd like to know if it's equivalent to your suggestion. I've highlighted the main different below:
I did this.
I did this
This is where I implemented something slightly different. Is this what you are proposing in your comment below?
|
|
That sounds like it will work, yes. The important detail is that the 4 |
|
Thanks for the confirmation. When you say |
|
My phrasing of "need to be present" was too strict. I was thinking only of the case where there were results produced by each of those 4 checks, which needed to be matched across If a particular check doesn't have any results, I think it's a good practice to include it in The SARIF spec is not prescriptive about this: |
|
Gotcha. I'll update my code to generate rules regardless of the results. Thanks for the advice. |
I have an action that I'd like to work on both pull requests and push events. The action scans the repo and uploads a SARIF format. However, the behavior - and therefore the results - of the action depend on the trigger event. On a push event, we run all the analysis. On a pull request however, we can only run a subset of the analysis. Therefore, depending on the trigger, different results will be returned.
The SARIF is uploaded in both cases. In the case of a pull request, we only get a subset of the analysis and errors: as a result, the scanning dashboard claims some existing findings have been fixed (see this run on my test repo). This is obviously mis-leading for a user.
I'm wondering what are my options to address this issue? I've thought about changing the name of the tool dynamically in the SARIF result
"name": "mytool-pull_request"vs"name": "mytool-push"or the"id" = "category/name", but this is an ugly hack and I've tried it yet. In addition, I am not it will entirely fix my problem: changing the name of the tool or theidmay have the unintended effect that existing findings will show as "new" and block the PR, which it should not.Maybe what I need is multiple SARIF files, and set the
idto its own analysis name, as suggested in https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanningIs there a more principled way to do it? With a single SARIF file?
The text was updated successfully, but these errors were encountered: