de28b750d1
* Add 'permissions' to reference page * Final set of pre-review changes * Update content/actions/learn-github-actions/security-hardening-for-github-actions.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update data/reusables/github-actions/workflow-permissions-intro.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/reference/authentication-in-a-workflow.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update data/reusables/github-actions/publish-to-packages-workflow-step.md Co-authored-by: Sarah Edwards <skedwards88@github.com> * Update content/actions/guides/publishing-nodejs-packages.md * Update content/actions/guides/publishing-java-packages-with-gradle.md * Update content/actions/guides/publishing-java-packages-with-maven.md * Update content/actions/guides/publishing-nodejs-packages.md * Update content/actions/reference/authentication-in-a-workflow.md * Update content/actions/reference/authentication-in-a-workflow.md * Update content/actions/reference/authentication-in-a-workflow.md * Update content/actions/reference/authentication-in-a-workflow.md * Update content/actions/learn-github-actions/security-hardening-for-github-actions.md * Update content/actions/reference/authentication-in-a-workflow.md * Update content/actions/reference/workflow-syntax-for-github-actions.md * Update content/actions/reference/workflow-syntax-for-github-actions.md * Update content/actions/reference/workflow-syntax-for-github-actions.md * Update content/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository.md * Update content/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization.md * Update content/github/setting-up-and-managing-your-enterprise/enforcing-github-actions-policies-in-your-enterprise-account.md * Update content/packages/guides/using-github-packages-with-github-actions.md * Make review comment changes (locally) * Resolve conflicts caused by remotely made review changes * Remove translation file changes from PR. * Remove rogue indentation in Important box * Remove sentence about default being set to restricted. This *will* be the case for new repos in future, but that isn't being shipped at the moment. * Add permissions to workflow examples (#18393) Co-authored-by: Sarah Edwards <skedwards88@github.com>
10 KiB
title, shortTitle, intro, permissions, product, versions, topics
| title | shortTitle | intro | permissions | product | versions | topics | |||
|---|---|---|---|---|---|---|---|---|---|
| Uploading a SARIF file to GitHub | Uploading a SARIF file | {% data reusables.code-scanning.you-can-upload-third-party-analysis %} | People with write permissions to a repository can upload {% data variables.product.prodname_code_scanning %} data generated outside {% data variables.product.prodname_dotcom %}. | {% data reusables.gated-features.code-scanning %} |
|
|
{% data reusables.code-scanning.beta %} {% data reusables.code-scanning.enterprise-enable-code-scanning %}
About SARIF file uploads for {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see "Managing {% data variables.product.prodname_code_scanning %} alerts for your repository."
You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see "SARIF support for {% data variables.product.prodname_code_scanning %}."
You can upload the results using {% data variables.product.prodname_actions %} (available if your organization is taking part in the beta program), the {% data variables.product.prodname_code_scanning %} API, or the {% data variables.product.prodname_codeql_runner %}. The best upload method will depend on how you generate the SARIF file, for example, if you use:
- {% data variables.product.prodname_actions %} to run the {% data variables.product.prodname_codeql %} action, there is no further action required. The {% data variables.product.prodname_codeql %} action uploads the SARIF file automatically when it completes analysis.
- {% data variables.product.prodname_actions %} to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results (see below).
- The {% data variables.product.prodname_codeql_runner %}, to run {% data variables.product.prodname_code_scanning %} in your CI system, by default the runner automatically uploads results to {% data variables.product.prodname_dotcom %} on completion. If you block the automatic upload, when you are ready to upload results you can use the
uploadcommand (for more information, see "Running {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system"). - A tool that generates results as an artifact outside of your repository, you can use the {% data variables.product.prodname_code_scanning %} API to upload the file (for more information, see "Upload an analysis as SARIF data").
{% data reusables.code-scanning.not-available %}
Uploading a {% data variables.product.prodname_code_scanning %} analysis with {% data variables.product.prodname_actions %}
To use {% data variables.product.prodname_actions %} to upload a third-party SARIF file to a repository, you'll need a workflow. For more information, see "Learn {% data variables.product.prodname_actions %}" and "Learn {% data variables.product.prodname_actions %}."
Your workflow will need to use the upload-sarif action, which is part of the github/codeql-action repository. It has input parameters that you can use to configure the upload. The main input parameter you'll use is sarif-file, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository. For more information see the upload-sarif action.
The upload-sarif action can be configured to run when the push and scheduled event occur. For more information about {% data variables.product.prodname_actions %} events, see "Events that trigger workflows."
If your SARIF file doesn't include partialFingerprints, the upload-sarif action will calculate the partialFingerprints field for you and attempt to prevent duplicate alerts. {% data variables.product.prodname_dotcom %} can only create partialFingerprints when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see "SARIF support for {% data variables.product.prodname_code_scanning %}."
{% data reusables.code-scanning.upload-sarif-alert-limit %}
Example workflow for SARIF files generated outside of a repository
You can create a new workflow that uploads SARIF files after you commit them to your repository. This is useful when the SARIF file is generated as an artifact outside of your repository.
This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "Events that trigger workflows."
This workflow uploads the results.sarif file located in the root of the repository. For more information about creating a workflow file, see "Learn {% data variables.product.prodname_actions %}."
Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called sarif-output and set the action's input parameter sarif_file to sarif-output.
name: "Upload SARIF"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Friday at 15:45 UTC.
on:
push:
schedule:
- cron: '45 15 * * 5'
jobs:
build:
runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
permissions:
security-events: write{% endif %}
steps:
# This step checks out a copy of your repository.
- name: Checkout repository
uses: actions/checkout@v2
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
Example workflow that runs the ESLint analysis tool
If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the upload-sarif action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a {% data variables.product.prodname_actions %} template. For more information, see the "{% data variables.product.prodname_actions %} quickstart."
This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "Events that trigger workflows."
The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The Run ESLint step runs the ESLint tool and outputs the results.sarif file. The workflow then uploads the results.sarif file to {% data variables.product.prodname_dotcom %} using the upload-sarif action. For more information about creating a workflow file, see "Introduction to GitHub Actions."
name: "ESLint analysis"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Monday at 15:45 UTC.
on:
push:
schedule:
- cron: '45 15 * * 1'
jobs:
build:
runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
permissions:
security-events: write{% endif %}
steps:
- uses: actions/checkout@v2
- name: Run npm install
run: npm install
# Runs the ESlint code analysis
- name: Run ESLint
# eslint exits 1 if it finds anything to report
run: node_modules/.bin/eslint build docs lib script spec-main -f node_modules/@microsoft/eslint-formatter-sarif/sarif.js -o results.sarif || true
# Uploads results.sarif to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif