Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

Integrate with GitHub Security tab #170

Open
llucax opened this issue Jan 5, 2021 · 1 comment
Open

Integrate with GitHub Security tab #170

llucax opened this issue Jan 5, 2021 · 1 comment
Labels
enhancement New feature or request

Comments

@llucax
Copy link

llucax commented Jan 5, 2021

Motivation

Having the security scan action integrated with GitHub's security tab will give security issues found by the scan more visibility, and let maintainers deal with security advisories and fixes all in the same place instead of having a split between regular issues and advisories that could come from other actions integrated with the Security tab.

Workflow example

name: Security audit
on:
  push:
    paths: 
      - '**/Cargo.toml'
      - '**/Cargo.lock'
jobs:
  security_audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions-rs/audit-check@v1
        with:
          sarif-report: results.sarif
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

Additional context

GitHub offers an action to upload SARIF reports that should make implementing this feature easier: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github

SARIF is stands for Static Analysis Results Interchange Format and is a standard, JSON-based format for the output of static analysis tools. For a quick introduction you can read this: https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md

@llucax llucax added the enhancement New feature or request label Jan 5, 2021
@amotmot
Copy link

amotmot commented Aug 13, 2021

I second this feature enhancement. At the moment a failed workflow occurs when a vulnerability is encountered and thus uploading SARIF data is not possible per above code sample.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Development

No branches or pull requests

2 participants