https://github.com/advanced-security/filter-sarif

GitHub Action for filtering Code Scanning alerts by path and id
https://github.com/advanced-security/filter-sarif

code-scanning github-advanced-security sarif

Last synced: 3 months ago
JSON representation

GitHub Action for filtering Code Scanning alerts by path and id

• Host: GitHub
• URL: https://github.com/advanced-security/filter-sarif
• Owner: advanced-security
• License: apache-2.0
• Created: 2022-07-26T05:50:37.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-04-10T13:01:40.000Z (7 months ago)
• Last Synced: 2024-04-14T11:43:01.093Z (7 months ago)
• Topics: code-scanning, github-advanced-security, sarif
• Language: Java
• Homepage:
• Size: 61.5 KB
• Stars: 21
• Watchers: 2
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-codeql - filter-sarif - GitHub Action for filtering Code Scanning alerts by path and id (CodeQL Actions Helpers)

README

        
# filter-sarif

Takes a SARIF file and a list of inclusion and exclusion patterns as input and removes alerts from the SARIF file according to those patterns.

# Example

The following example removes all alerts from all Java test files:

```yaml

name: "Filter SARIF"

on:

  push:

    branches: [master]

jobs:

  analyze:

    name: Analyze

    runs-on: ubuntu-latest

    strategy:

      fail-fast: false

      matrix:

        language: [ 'java' ]

    steps:

    - name: Checkout repository

      uses: actions/checkout@v4

    - name: Initialize CodeQL

      uses: github/codeql-action/init@v3

      with:

        languages: ${{ matrix.language }}

    - name: Autobuild

      uses: github/codeql-action/autobuild@v3

    - name: Perform CodeQL Analysis

      uses: github/codeql-action/analyze@v3

      with:

        category: "/language:${{matrix.language}}"

        output: sarif-results

        upload: failure-only

    - name: filter-sarif

      uses: advanced-security/filter-sarif@v1

      with:

        patterns: |

          +**/*.java

          -**/*Test*.java

        input: sarif-results/java.sarif

        output: sarif-results/java.sarif

    - name: Upload SARIF

      uses: github/codeql-action/upload-sarif@v3

      with:

        sarif_file: sarif-results/java.sarif

    - name: Upload loc as a Build Artifact

      uses: actions/upload-artifact@v4

      with:

        name: sarif-results

        path: sarif-results

        retention-days: 1

```

Note how we provided `upload: failure-only` and `output: sarif-results` to the `analyze` action. That way we can filter the SARIF with the `filter-sarif` action before uploading it via `upload-sarif`. Diagnostic output is still uploaded and visible on the [tool status page](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page) if the run fails. Finally, we also attach the resulting SARIF file to the build, which is convenient for later inspection.

# Patterns

Each pattern line is of the form:

```

[+/-][:]

```

for example:

```

-**/*Test*.java:**               # exclusion pattern: remove all alerts from all Java test files

-**/*Test*.java                  # ditto, short form of the line above

+**/*.java:java/sql-injection    # inclusion pattern: This line has precedence over the first two

                                 # and thus allows alerts of type "java/sql-injection"

**/*.java:java/sql-injection     # ditto, the "+" in inclusion patterns is optional

**                               # allow all alerts in all files (reverses all previous lines)

```

A minimal config to allow only files in the path `myproject/` is:

```

-**/*                            # exclusion pattern: DENY ALL

myproject/**/*                   # inclusion pattern: allows alerts in the path 'myproject/'

```

* The path separator character in patterns is always `/`, independent of the platform the code is running on and independent of the paths in the SARIF file.

* `*` matches any character, except a path separator

* `**` matches any character and is only allowed between path separators, e.g. `/**/file.txt`, `**/file.txt` or `**`. NOT allowed: `**.txt`, `/etc**`

* The rule pattern is optional. If omitted, it will apply to alerts of all types.

* Subsequent lines override earlier ones. By default all alerts are included.

* If you need to use the literals `+`, `-`, `\` or `:` in your pattern, you can escape them with `\`, e.g. `\-this/is/an/inclusion/file/pattern\:with-a-semicolon:and/a/rule/pattern/with/a/\\/backslash`. For `+` and `-`, this is only necessary if they appear at the beginning of the pattern line.