create-code-scanning-alert safe-output doesn't seem to work as it should

[kbreit-insight]

Note: This very well could be a user error but I've spent enough time with this problem that having an issue created that creates public documentation (and maybe even official updates to documentation) is probably the right thing to do.

I have an AW that runs the KICS security scanner and uploads the findings to GitHub Advanced Security. But the results don't ever show up in my organization's GHAS dashboard.

GHAW Manifest

---
on:
  workflow_dispatch:
permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read
engine:
  id: copilot
  model: claude-opus-4-6
network:
  allowed:
    - defaults
    - python
    - node
    - go
    - java
tools:
  github:
    toolsets: [default]
  edit:
  bash: true
  web-fetch:
  web-search:
steps:
  - name: Checkout repository
    uses: actions/checkout@v6
    with:
      persist-credentials: false
  - name: Create artifact directory
    run: mkdir -p artifacts
  - name: KICS Github Action
    uses: Checkmarx/kics-github-action@v1.7.0
    with:
      path: .
      output_path: artifacts
      output_formats: json,sarif
      ignore_on_exit: results
  - name: Upload KICS results
    uses: actions/upload-artifact@v7
    with:
      name: kics-results
      path: artifacts/results.json
  - name: Flatten KICS findings for agent
    run: |
      python3 -c "
      import json
      data = json.load(open('artifacts/results.json'))
      findings = []
      for q in data.get('queries', []):
        for f in q.get('files', []):
          for issue in f.get('issues', []):
            findings.append({
              'file': f['file_name'],
              'line': issue['line'],
              'severity': q['severity'].lower(),
              'message': q['query_name'] + ': ' + q['description']
            })
      print(json.dumps(findings, indent=2))
      " > artifacts/findings.json
safe-outputs:
  create-issue:
  create-agent-session:
  create-discussion:
  update-discussion:
  close-discussion:
  close-issue:
  close-pull-request:
  add-comment:
  create-pull-request:
  create-pull-request-review-comment:
  submit-pull-request-review:
  reply-to-pull-request-review-comment:
  resolve-pull-request-review-thread:
  create-code-scanning-alert:
    # github-token: ${{ secrets.GHAS_TOKEN }}
    max: 10000
  add-labels:
  remove-labels:
  add-reviewer:
  assign-milestone:
  assign-to-agent:
  assign-to-user:
  unassign-from-user:
  update-issue:
  update-pull-request:
  push-to-pull-request-branch:
  upload-asset:
  update-release:
  link-sub-issue:
  hide-comment:
  set-issue-type:
  update-project:
  autofix-code-scanning-alert:
  mark-pull-request-as-ready-for-review:
---

# kics-remediation

Read `artifacts/findings.json` — it contains a flat JSON array where each element has `file`, `line`, `severity`, and `message`. Call `create_code_scanning_alert` once per element, one at a time sequentially (not in parallel), passing those four fields directly. Wait for each call to succeed before proceeding to the next. After all alerts are uploaded, read `artifacts/results.json` to analyze the full results and create a tracking issue. Then create a new branch and perform remediation on findings whose `file` path does NOT start with `.github/` — do not modify any files under `.github/` in the PR (mention those findings in the tracking issue as requiring manual attention). Open a pull request with appropriate labels. NEVER automatically merge the pull request.

<!--
## TODO: Customize this workflow

The workflow has been generated based on your selections. Consider adding:

- [ ] More specific instructions for the AI
- [ ] Error handling requirements
- [ ] Output format specifications
- [ ] Integration with other workflows
- [ ] Testing and validation steps

## Configuration Summary

- **Trigger**: Manual trigger
- **AI Engine**: copilot
- **Tools**: github, edit, bash, web-fetch, web-search
- **Safe Outputs**: create-issue, create-agent-session, create-discussion, update-discussion, close-discussion, close-issue, close-pull-request, add-comment, create-pull-request, create-pull-request-review-comment, submit-pull-request-review, reply-to-pull-request-review-comment, resolve-pull-request-review-thread, create-code-scanning-alert, add-labels, remove-labels, add-reviewer, assign-milestone, assign-to-agent, assign-to-user, unassign-from-user, update-issue, update-pull-request, push-to-pull-request-branch, upload-asset, update-release, link-sub-issue, hide-comment, set-issue-type, update-project, create-project, create-project-status-update, autofix-code-scanning-alert, mark-pull-request-as-ready-for-review
- **Network Access**: ecosystem

## Next Steps

1. Review and customize the workflow content above
2. Remove TODO sections when ready
3. Run `gh aw compile` to generate the GitHub Actions workflow
4. Test the workflow with a manual trigger or appropriate event
-->

Actions Output (truncated)

Warning: Unexpected input(s) 'github-token', valid inputs are ['sarif_file', 'checkout_path', 'ref', 'sha', 'token', 'matrix', 'category', 'wait-for-processing']
Run github/codeql-action/upload-sarif@cb06a0a8527b2c6970741b3a0baa15231dc74a4c
  with:
    github-token: ***
    sarif_file: /home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy/code-scanning-alert.sarif
    wait-for-processing: true
    checkout_path: /home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy
    token: ***
    matrix: null
  env:
    GH_AW_CALLER_WORKFLOW_ID: shared-iac/terraform-azurerm-storage-entropy/kics-remediation
    GH_AW_ENGINE_ID: copilot
    GH_AW_ENGINE_MODEL: claude-opus-4-6
    GH_AW_WORKFLOW_ID: kics-remediation
    GH_AW_WORKFLOW_NAME: kics-remediation
Post-processing sarif files: ["/home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy/code-scanning-alert.sarif"]
Validating /home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy/code-scanning-alert.sarif
Adding fingerprints to SARIF file. See https://docs.github.com/en/code-security/reference/code-scanning/sarif-support-for-code-scanning#data-for-preventing-duplicated-alerts for more information.
(node:5270) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
Uploading code scanning results
  Uploading results
  Warning: commit not found - https://docs.github.com/rest
  Error: commit not found - https://docs.github.com/rest

Other times the workflow succeeds but doesn't create the GHAS objects.

[pelikhan]

@copilot review for possible issue. Add logging in create code scanning alert route if needed to help debugging