{"id":13809731,"url":"https://github.com/advanced-security/filter-sarif","last_synced_at":"2025-09-14T21:22:42.056Z","repository":{"id":49752273,"uuid":"517930493","full_name":"advanced-security/filter-sarif","owner":"advanced-security","description":"GitHub Action for filtering Code Scanning alerts by path and id","archived":false,"fork":false,"pushed_at":"2024-10-16T13:23:19.000Z","size":68,"stargazers_count":28,"open_issues_count":3,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-31T06:43:53.648Z","etag":null,"topics":["code-scanning","github-advanced-security","sarif"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-26T05:50:37.000Z","updated_at":"2025-05-22T09:05:41.000Z","dependencies_parsed_at":"2023-12-18T19:09:04.131Z","dependency_job_id":"30697793-98be-4a2a-988f-05435d51c94a","html_url":"https://github.com/advanced-security/filter-sarif","commit_stats":{"total_commits":11,"total_committers":1,"mean_commits":11.0,"dds":0.0,"last_synced_commit":"09a9626fe5e89584ba5ed115143975bfc59ac6a9"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/advanced-security/filter-sarif","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Ffilter-sarif","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Ffilter-sarif/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Ffilter-sarif/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Ffilter-sarif/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/filter-sarif/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Ffilter-sarif/sbom","scorecard":{"id":168403,"data":{"date":"2025-08-11","repo":{"name":"github.com/advanced-security/filter-sarif","commit":"59d0a64b3c0a34d787819f6659708915b6210582"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.7,"checks":[{"name":"Code-Review","score":2,"reason":"Found 4/17 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/action-test.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/action-test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/action-test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/action-test.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/action-test.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/action-test.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/advanced-security/filter-sarif/action-test.yml/main?enable=pin","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/action-test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/advanced-security/.github/SECURITY.md:1","Info: Found linked content: github.com/advanced-security/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/advanced-security/.github/SECURITY.md:1","Info: Found text in security policy: github.com/advanced-security/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'","Warn: branch protection not enabled for branch 'develop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 11 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T15:38:44.480Z","repository_id":49752273,"created_at":"2025-08-16T15:38:44.480Z","updated_at":"2025-08-16T15:38:44.480Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275168980,"owners_count":25417227,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-14T02:00:10.474Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-scanning","github-advanced-security","sarif"],"created_at":"2024-08-04T02:00:35.157Z","updated_at":"2025-09-14T21:22:42.018Z","avatar_url":"https://github.com/advanced-security.png","language":"Java","funding_links":[],"categories":["CodeQL Actions Helpers"],"sub_categories":[],"readme":"# filter-sarif\n\nTakes a SARIF file and a list of inclusion and exclusion patterns as input and removes alerts from the SARIF file according to those patterns.\n\n# Example\n\nThe following example removes all alerts from all Java test files:\n\n```yaml\nname: \"Filter SARIF\"\non:\n  push:\n    branches: [master]\n\njobs:\n  analyze:\n    name: Analyze\n    runs-on: ubuntu-latest\n\n    strategy:\n      fail-fast: false\n      matrix:\n        language: [ 'java' ]\n\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n\n    - name: Initialize CodeQL\n      uses: github/codeql-action/init@v3\n      with:\n        languages: ${{ matrix.language }}\n\n    - name: Autobuild\n      uses: github/codeql-action/autobuild@v3\n\n    - name: Perform CodeQL Analysis\n      uses: github/codeql-action/analyze@v3\n      with:\n        category: \"/language:${{matrix.language}}\"\n        output: sarif-results\n        upload: failure-only\n\n    - name: filter-sarif\n      uses: advanced-security/filter-sarif@v1\n      with:\n        patterns: |\n          +**/*.java\n          -**/*Test*.java\n        input: sarif-results/java.sarif\n        output: sarif-results/java.sarif\n\n    - name: Upload SARIF\n      uses: github/codeql-action/upload-sarif@v3\n      with:\n        sarif_file: sarif-results/java.sarif\n\n    - name: Upload loc as a Build Artifact\n      uses: actions/upload-artifact@v4\n      with:\n        name: sarif-results\n        path: sarif-results\n        retention-days: 1\n```\n\nNote how we provided `upload: failure-only` and `output: sarif-results` to the `analyze` action. That way we can filter the SARIF with the `filter-sarif` action before uploading it via `upload-sarif`. Diagnostic output is still uploaded and visible on the [tool status page](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page) if the run fails. Finally, we also attach the resulting SARIF file to the build, which is convenient for later inspection.\n\n# Patterns\n\nEach pattern line is of the form:\n```\n[+/-]\u003cfile pattern\u003e[:\u003crule pattern\u003e]\n```\n\nfor example:\n```\n-**/*Test*.java:**               # exclusion pattern: remove all alerts from all Java test files\n-**/*Test*.java                  # ditto, short form of the line above\n+**/*.java:java/sql-injection    # inclusion pattern: This line has precedence over the first two\n                                 # and thus allows alerts of type \"java/sql-injection\"\n**/*.java:java/sql-injection     # ditto, the \"+\" in inclusion patterns is optional\n**                               # allow all alerts in all files (reverses all previous lines)\n```\n\nA minimal config to allow only files in the path `myproject/` is:\n\n```\n-**/*                            # exclusion pattern: DENY ALL\nmyproject/**/*                   # inclusion pattern: allows alerts in the path 'myproject/'\n```\n\n* The path separator character in patterns is always `/`, independent of the platform the code is running on and independent of the paths in the SARIF file.\n* `*` matches any character, except a path separator\n* `**` matches any character and is only allowed between path separators, e.g. `/**/file.txt`, `**/file.txt` or `**`. NOT allowed: `**.txt`, `/etc**`\n* The rule pattern is optional. If omitted, it will apply to alerts of all types.\n* Subsequent lines override earlier ones. By default all alerts are included.\n* If you need to use the literals `+`, `-`, `\\` or `:` in your pattern, you can escape them with `\\`, e.g. `\\-this/is/an/inclusion/file/pattern\\:with-a-semicolon:and/a/rule/pattern/with/a/\\\\/backslash`. For `+` and `-`, this is only necessary if they appear at the beginning of the pattern line.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Ffilter-sarif","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Ffilter-sarif","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Ffilter-sarif/lists"}