Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error while uploading SARIF file using action github/codeql-action/upload-sarif #2456

Open
clementrey-dev opened this issue Sep 2, 2024 · 6 comments

Comments

@clementrey-dev
Copy link

Hello expert,
I am trying to upload a SARIF file generated by a trivy scan. Whereas the SARIF file is generated, the upload of the file in the security tab failed with the message:

Run github/codeql-action/upload-sarif@v3
  with:
    sarif_file: trivy_report.sarif
    checkout_path: /home/runner/work/aws-htc-grid/aws-htc-grid
    token: ***
    matrix: null
    wait-for-processing: true
  env:
    TRIVY_REPORT_FILE: trivy_report.sarif
    ACTIONS_STEP_DEBUG: true
Uploading results
  Processing sarif files: ["trivy_report.sarif"]
  Validating trivy_report.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
  Uploading results
  Successfully uploaded results
Waiting for processing to finish
  Analysis upload status is pending.
  Analysis upload status is failed.
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location

Do you have any clues what could be wrong with my SARIF files or how to improve observability of the action ?

@hvitved
Copy link

hvitved commented Sep 2, 2024

@starcke: Is this one for your team?

@starcke starcke self-assigned this Sep 2, 2024
@starcke
Copy link

starcke commented Sep 2, 2024

locationFromSarifResult: expected artifact location usually means that there is a missing location for one of the results. See https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files. If the SARIF file looks correct according to the documentation, can you then share parts of it here (anonymizing it as needed), so that we can see how it looks?

@starcke starcke removed their assignment Sep 2, 2024
@clementrey-dev
Copy link
Author

I checked and it seems that all issue as well a location.

Please find below the SARIF file.

{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {
              "id": "AVD-AWS-0066",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "Lambda functions should have X-Ray tracing enabled"
              },
              "fullDescription": {
                "text": "X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts."
              },
              "defaultConfiguration": {
                "level": "note"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0066",
              "help": {
                "text": "Misconfiguration AVD-AWS-0066\nType: CloudFormation Security Check\nSeverity: LOW\nCheck: Lambda functions should have X-Ray tracing enabled\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)\nX-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.",
                "markdown": "**Misconfiguration AVD-AWS-0066**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|LOW|Lambda functions should have X-Ray tracing enabled|Function does not have tracing enabled.|[AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)|\n\nX-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "2.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "LOW"
                ]
              }
            },
            {
              "id": "AVD-AWS-0057",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege"
              },
              "fullDescription": {
                "text": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0057",
              "help": {
                "text": "Misconfiguration AVD-AWS-0057\nType: Terraform Security Check\nSeverity: HIGH\nCheck: IAM policy should avoid use of wildcards and instead apply the principle of least privilege\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)\nYou should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
                "markdown": "**Misconfiguration AVD-AWS-0057**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|IAM policy should avoid use of wildcards and instead apply the principle of least privilege|IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'|[AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)|\n\nYou should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "AVD-AWS-0088",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "Unencrypted S3 bucket."
              },
              "fullDescription": {
                "text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
              "help": {
                "text": "Misconfiguration AVD-AWS-0088\nType: CloudFormation Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
                "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "s3-bucket-logging",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "S3 Bucket Logging"
              },
              "fullDescription": {
                "text": "Ensures S3 bucket logging is enabled for S3 buckets"
              },
              "defaultConfiguration": {
                "level": "note"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
              "help": {
                "text": "Misconfiguration s3-bucket-logging\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)\nEnsures S3 bucket logging is enabled for S3 buckets",
                "markdown": "**Misconfiguration s3-bucket-logging**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "2.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "LOW"
                ]
              }
            },
            {
              "id": "AVD-AWS-0090",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "S3 Data should be versioned"
              },
              "fullDescription": {
                "text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
              },
              "defaultConfiguration": {
                "level": "warning"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
              "help": {
                "text": "Misconfiguration AVD-AWS-0090\nType: CloudFormation Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
                "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "5.5",
                "tags": [
                  "misconfiguration",
                  "security",
                  "MEDIUM"
                ]
              }
            },
            {
              "id": "AVD-AWS-0132",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "S3 encryption should use Customer Managed Keys"
              },
              "fullDescription": {
                "text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
              "help": {
                "text": "Misconfiguration AVD-AWS-0132\nType: CloudFormation Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
                "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "8.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "HIGH"
                ]
              }
            },
            {
              "id": "AVD-AWS-0190",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "Ensure that response caching is enabled for your Amazon API Gateway REST APIs."
              },
              "fullDescription": {
                "text": "A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."
              },
              "defaultConfiguration": {
                "level": "note"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0190",
              "help": {
                "text": "Misconfiguration AVD-AWS-0190\nType: Terraform Security Check\nSeverity: LOW\nCheck: Ensure that response caching is enabled for your Amazon API Gateway REST APIs.\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)\nA REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.",
                "markdown": "**Misconfiguration AVD-AWS-0190**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|Ensure that response caching is enabled for your Amazon API Gateway REST APIs.|Cache data is not enabled.|[AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)|\n\nA REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "2.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "LOW"
                ]
              }
            },
            {
              "id": "DS026",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "No HEALTHCHECK defined"
              },
              "fullDescription": {
                "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
              },
              "defaultConfiguration": {
                "level": "note"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/ds026",
              "help": {
                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "2.0",
                "tags": [
                  "misconfiguration",
                  "security",
                  "LOW"
                ]
              }
            },
            {
              "id": "AVD-AWS-0178",
              "name": "Misconfiguration",
              "shortDescription": {
                "text": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you\u0026#39;ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \u0026#34;Rejects\u0026#34; for VPCs."
              },
              "fullDescription": {
                "text": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows."
              },
              "defaultConfiguration": {
                "level": "warning"
              },
              "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0178",
              "help": {
                "text": "Misconfiguration AVD-AWS-0178\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.\nMessage: VPC Flow Logs is not enabled for VPC\nLink: [AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.",
                "markdown": "**Misconfiguration AVD-AWS-0178**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.|VPC Flow Logs is not enabled for VPC|[AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)|\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "5.5",
                "tags": [
                  "misconfiguration",
                  "security",
                  "MEDIUM"
                ]
              }
            }
          ],
          "version": "0.53.0"
        }
      },
      "results": [
        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: \nType: cloudformation\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'cloudformation:DescribeStacks' on wildcarded resource '*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 109,
                  "startColumn": 1,
                  "endLine": 109,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:${AWS::Partition}:logs:*:*:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 109,
                  "startColumn": 1,
                  "endLine": 109,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0088",
          "ruleIndex": 2,
          "level": "error",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 279,
                  "startColumn": 1,
                  "endLine": 290,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "s3-bucket-logging",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 279,
                  "startColumn": 1,
                  "endLine": 290,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0090",
          "ruleIndex": 4,
          "level": "warning",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 279,
                  "startColumn": 1,
                  "endLine": 290,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0132",
          "ruleIndex": 5,
          "level": "error",
          "message": {
            "text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 279,
                  "startColumn": 1,
                  "endLine": 290,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0190",
          "ruleIndex": 6,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/grid/terraform/control_plane/openapi_private.tf\nType: terraform\nVulnerability AVD-AWS-0190\nSeverity: LOW\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/grid/terraform/control_plane/openapi_private.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 124,
                  "startColumn": 1,
                  "endLine": 137,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/grid/terraform/control_plane/openapi_private.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0190",
          "ruleIndex": 6,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/grid/terraform/control_plane/openapi_public.tf\nType: terraform\nVulnerability AVD-AWS-0190\nSeverity: LOW\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/grid/terraform/control_plane/openapi_public.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 123,
                  "startColumn": 1,
                  "endLine": 136,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/grid/terraform/control_plane/openapi_public.tf"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/image_repository/lambda_runtimes/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/image_repository/lambda_runtimes/Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/image_repository/lambda_runtimes/Dockerfile"
              }
            }
          ]
        },
        {
          "ruleId": "s3-bucket-logging",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/init_grid/cloudformation/grid_state.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 153,
                  "startColumn": 1,
                  "endLine": 172,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/init_grid/cloudformation/grid_state.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "s3-bucket-logging",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/init_grid/cloudformation/grid_state.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 239,
                  "startColumn": 1,
                  "endLine": 258,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/init_grid/cloudformation/grid_state.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "s3-bucket-logging",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "deployment/init_grid/cloudformation/grid_state.yaml",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 67,
                  "startColumn": 1,
                  "endLine": 86,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "deployment/init_grid/cloudformation/grid_state.yaml"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: docs/workshop/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "docs/workshop/Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "docs/workshop/Dockerfile"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/submissions/k8s_jobs/Dockerfile.Submitter\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/submissions/k8s_jobs/Dockerfile.Submitter",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/submissions/k8s_jobs/Dockerfile.Submitter"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/workloads/c++/mock_computation/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/workloads/c++/mock_computation/Dockerfile.Build",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/workloads/c++/mock_computation/Dockerfile.Build"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/workloads/java/mock_computation/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/workloads/java/mock_computation/Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/workloads/java/mock_computation/Dockerfile"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/workloads/java/quant_lib/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/workloads/java/quant_lib/Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/workloads/java/quant_lib/Dockerfile"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/workloads/python/mock_computation/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/workloads/python/mock_computation/Dockerfile.Build",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/workloads/python/mock_computation/Dockerfile.Build"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: examples/workloads/python/quant_lib/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "examples/workloads/python/quant_lib/Dockerfile.Build",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "examples/workloads/python/quant_lib/Dockerfile.Build"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: source/compute_plane/python/agent/Dockerfile.Lambda\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "source/compute_plane/python/agent/Dockerfile.Lambda",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "source/compute_plane/python/agent/Dockerfile.Lambda"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: source/compute_plane/python/agent/Dockerfile.Local\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "source/compute_plane/python/agent/Dockerfile.Local",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "source/compute_plane/python/agent/Dockerfile.Local"
              }
            }
          ]
        },
        {
          "ruleId": "DS026",
          "ruleIndex": 7,
          "level": "note",
          "message": {
            "text": "Artifact: source/compute_plane/shell/attach-layer/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "source/compute_plane/shell/attach-layer/Dockerfile",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "source/compute_plane/shell/attach-layer/Dockerfile"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '08dc8bb2-e5b3-478e-9e5d-d02a9064d6c4:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '11be5e6e-eedc-422d-be69-4f5aa9e53e28:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '2f226c54-6f2d-454b-9da0-aa1bfe547896:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '5bf0c93e-0bee-47bd-b82d-6107c3423a95:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'a64b0897-3644-42e4-bc9f-418cd15ede0d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0057",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/lambda/aws/iam.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 130,
                  "startColumn": 1,
                  "endLine": 130,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/lambda/aws/iam.tf"
              }
            }
          ]
        },
        {
          "ruleId": "s3-bucket-logging",
          "ruleIndex": 3,
          "level": "note",
          "message": {
            "text": "Artifact: terraform-aws-modules/s3-bucket/aws/main.tf\nType: terraform\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/s3-bucket/aws/main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 25,
                  "startColumn": 1,
                  "endLine": 34,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/s3-bucket/aws/main.tf"
              }
            }
          ]
        },
        {
          "ruleId": "AVD-AWS-0178",
          "ruleIndex": 8,
          "level": "warning",
          "message": {
            "text": "Artifact: terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf\nType: terraform\nVulnerability AVD-AWS-0178\nSeverity: MEDIUM\nMessage: VPC Flow Logs is not enabled for VPC\nLink: [AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 28,
                  "startColumn": 1,
                  "endLine": 51,
                  "endColumn": 1
                }
              },
              "message": {
                "text": "terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf"
              }
            }
          ]
        }
      ],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///github/workspace/"
        }
      }
    }
  ]
}

@starcke
Copy link

starcke commented Sep 3, 2024

Thanks for posting the SARIF. The problem is that Code scanning does not support the originalUriBaseIds field. This means that the first result object:

        {
          "ruleId": "AVD-AWS-0066",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Artifact: \nType: cloudformation\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },
              "message": {
                "text": ""
              }
            }
          ]
        },

contains an empty URI and therefore cannot be processed by code scanning.

Note: even with originalUriBaseIds it seems to point to a directory and not a file, so I am unsure what that means in terms of the result.

@nikpivkin
Copy link

Hi @starcke !

According to the documentation:

You can check a SARIF file is compatible with code scanning by testing it against the GitHub ingestion rules. For more information, visit the Microsoft SARIF validator.

SARIF reports with an empty artifactLocation.uri successfully pass validation at https://sarifweb.azurewebsites.net/Validation, which, according to the documentation, confirms their compatibility with GitHub Code Scanning. However, uploading such reports via the github/codeql-action/upload-sarif action results in an error, indicating a potential mismatch between the validation process and the actual handling of SARIF files by GitHub.

@starcke
Copy link

starcke commented Dec 20, 2024

Hi @nikpivkin

That is unfortunate, but I am afraid we do not maintain the web-based validation. I see you already found the place to report it.
It is unlikely we'll be able to handle these cases as we need the URI to determine which file to attach the finding to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants