Option to opt-out from SARIF Report Upload

[Akaame]

Hello,

I have included this to my CI pipelines and have encountered the following error:

ERR Upload of Sarif Report GitHub yielded error error="POST https://api.github.com/repos/<org>/<repo>/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. 

Would it be possible to add an option to add the SARIF report to step outputs and opt-out from uploading the report?

[Templum]

Sounds like a reasonable suggestion. Could you elaborate on how you would envision the opt-out to function?

[Akaame]

I was thinking of adding a fifth option to (either enum or bool) to denote the target as Code Scanning or Action Outputs (do not know if github.Client can do this) to instantiate GithubSarifUploader or a to-be GithubActionsUpload. I am not versed with action development so this is only a naive suggestion on my end.

[Templum]

Actually, I was referring if you would expect to configure this via an additional input (like go-version) or by setting an env (which is currently done for Debug Logs)

[Templum]

@Akaame I implemented your request, could you please give it a try. It's available under branch feature/10.

Here is an example configuration (I used that to verify):

  Code-Scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@feature/10
        with:
          skip-upload: true
      - name: Upload Sarif Report
        uses: actions/upload-artifact@v3
        with:
          name: sarif-report
          path: govulncheck-report.sarif

[Templum]

@Akaame did you get already a chance to test it out ?

[Templum]

@Akaame I will let the issue open for another 3 Days, then the pr will be merged and issue closed. In case I hear not back

[Akaame]

Seems perfect. Thanks for the effort 👍

[Templum]

@Akaame glad that it works for you 👍

[Templum]

Was released in v0.0.6