Why new issues doesn't appear on Pull Request after SARIF upload

[serhiykrupka]

Select Topic Area

Bug

Body

I have created a new pull request where new security issues have been introduced, but Code scanning says that no new issues are found on this PR (first screenshot). However, if we navigate to the Security tab and filter by per we can see the issue has been introduced in the current PR (see second screenshot).

PR Result

Security tab:

Workflow

name: Trivy Image Scanning
on:
  pull_request:
permissions: write-all
jobs:
  scan:
    name: images-scan
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'redis:7.2-rc3-bookworm'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

[jketema]

Hi @serhiykrupka,

From your screenshots its seems that the file with the new alert is not actually in the repository. Although alerts on such files will show up on the security tab, they will not show up on the PR. For PRs we look at which code was changed to decide what alerts to show.