-
Notifications
You must be signed in to change notification settings - Fork 32
Feature: SARIF output
Static Analysis Results Interchange Format (SARIF) is an industry standard enabling tools and development environments to interoperate.
GitHub has SARIF support for code scanning.
When data is published to GitHub in this format, GitHub is supposed to automatically generate shiny annotations.
Sometimes @github-advanced-security
will leave a comment on pull requests:
Users of Visual Studio Code can install the SARIF Viewer extension to retrieve the reports.
Release | Features |
---|---|
v0.0.21 | Initial support |
v0.0.22 | Adjusting sarif.json |
SARIF support is still very experimental, but the general idea is that you need to give it permissions to write security-events and you need to tell the action to generate them.
Note that you may be able to drop the comment
job entirely if you enable SARIF. It's still early, hopefully it'll be clear whether this is in fact correct soon.
jobs:
spelling:
permissions:
# ...
security-events: write
# ...
steps:
- name: check-spelling
id: spelling
uses: check-spelling/check-spelling@main
with:
# ...
use_sarif: 1
In general:
Security alerts for a repository are visible to people with write, maintain, or admin access to the repository
See Granting access to security alerts for more information.
This means that if you're a contributor without write access to a repository, you probably won't be able to click the 👼 SARIF report? link.
If you'd like to see a similar report, you should be able to create a pull request in your fork and trigger the same workflow and view the equivalent report there.
With v0.0.22, there's the ability to add a sarif.json
file to adjust severities or other fields.
This is experimental (as is SARIF support in general).
https://github.com/check-spelling/check-spelling/issues/43
- Generate SARIF json
- Support uploading it using github/codeql-action/upload-sarif@releases/v2
- Decide on how to opt-in/opt-out of using this format -- currently
use_sarif: 1
- Test in the check-spelling org -- in progress
- Trial it in other repositories
- Iterate