Upload SARIF to Code Scanning #660
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GitHub Actions workflow to upload SARIF files to GitHub Code Scanning | |
| # This enables viewing DevOps Shield security assessment results in the Security tab | |
| name: Upload SARIF to Code Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'docs/sarif/*.sarif' | |
| - 'sarif-results/*.sarif' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'docs/sarif/*.sarif' | |
| - 'sarif-results/*.sarif' | |
| workflow_dispatch: | |
| inputs: | |
| sarif_file: | |
| description: 'Path to SARIF file to upload' | |
| required: false | |
| default: 'sarif-results/devops-shield-assessment.sarif' | |
| category: | |
| description: 'Category for Code Scanning' | |
| required: false | |
| default: 'devops-shield-sarif-export-test' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| upload-sarif: | |
| name: Upload SARIF | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Check for SARIF files | |
| id: check-sarif | |
| run: | | |
| SARIF_COUNT=0 | |
| # Check sarif-results (new location - no cleanup needed) | |
| if [ -d "sarif-results" ]; then | |
| COUNT=$(find sarif-results -name "*.sarif" | wc -l) | |
| SARIF_COUNT=$((SARIF_COUNT + COUNT)) | |
| echo "Found $COUNT SARIF file(s) in sarif-results/" | |
| find sarif-results -name "*.sarif" -exec echo " - {}" \; | |
| fi | |
| # Check docs/sarif (legacy location - may need cleanup) | |
| if [ -d "docs/sarif" ]; then | |
| COUNT=$(find docs/sarif -name "*.sarif" | wc -l) | |
| SARIF_COUNT=$((SARIF_COUNT + COUNT)) | |
| echo "Found $COUNT SARIF file(s) in docs/sarif/" | |
| find docs/sarif -name "*.sarif" -exec echo " - {}" \; | |
| fi | |
| echo "sarif_count=$SARIF_COUNT" >> $GITHUB_OUTPUT | |
| echo "Total: $SARIF_COUNT SARIF file(s)" | |
| - name: Upload SARIF from sarif-results (no cleanup - native export) | |
| if: steps.check-sarif.outputs.sarif_count != '0' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ github.event.inputs.sarif_file || 'sarif-results' }} | |
| category: ${{ github.event.inputs.category || 'devops-shield-sarif-export-test' }} | |
| wait-for-processing: true | |
| continue-on-error: true | |
| - name: Summary | |
| if: steps.check-sarif.outputs.sarif_count != '0' | |
| run: | | |
| echo "## SARIF Upload Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Successfully uploaded SARIF files to GitHub Code Scanning" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Files Uploaded" >> $GITHUB_STEP_SUMMARY | |
| find sarif-results -name "*.sarif" -exec echo "- \\\{}\\\" \; >> $GITHUB_STEP_SUMMARY 2>/dev/null || true | |
| find docs/sarif -name "*.sarif" -exec echo "- \\\{}\\\" \; >> $GITHUB_STEP_SUMMARY 2>/dev/null || true | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### View Results" >> $GITHUB_STEP_SUMMARY | |
| echo "Navigate to **Security** > **Code scanning** to view the results." >> $GITHUB_STEP_SUMMARY | |
| - name: No SARIF files found | |
| if: steps.check-sarif.outputs.sarif_count == '0' | |
| run: | | |
| echo "## SARIF Upload Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "⚠️ No SARIF files found" >> $GITHUB_STEP_SUMMARY |