-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Valid SARIF file being rejected by GitHub with locationFromSarifResult error #2770
Comments
I hit the same issue, @blupants This is due to the Trivy action scanning libraries as well. If I run for example (same command Action invokes):
I get an empty
Running with |
Hi! Any updates? |
My issue seems to be similar to this previous one.
I am using the trivy open source security scanner that generates valid SARIF files such as this one.
Most of files get properly parsed and uploaded to GitHub Security tab. However, when I try to upload this one using "github/codeql-action/upload-sarif@v2" Action, I get the following error:
I checked GitHub documentation [1] [2] and it points to this Microsoft SARIF validator. I uploaded my SARIF file multiple times to the validator and it always says the file is good.
Steps to reproduce:
Make sure trivy-results-sarif is validated by https://sarifweb.azurewebsites.net/Validation
Select a repo with GitHub Actions available and create a "sarif-issue" branch
Create a folder .github/workflows/config and add trivy-results-sarif to it: .github/workflows/config/trivy-results.sarif
Create a new Action .github/workflows/sarif-issue.yml that will upload the SARIF to GitHub
Commit the changes and push them to the "sarif-issue" branch
Job "Upload Trivy scan results to GitHub Security tab" will fail and throw the "locationFromSarifResult: expected artifact location" error.
The text was updated successfully, but these errors were encountered: