It is recommended that you advanced-security-compliance instead, it is more feature rich than Fail workflow on alerts action
Warning
EXPERIMENTAL. Haven't completely tested all the semantics. Use at your own peril.
This action will fail a workflow if there are open Code Scanning alerts that exceed the defined thresholds. (eg: there are more than X critical alerts).
It scans for open alerts in the current git reference. Be it a PR or a non PR
Failure is optional, the action also outputs the number of alerts (by type) found, the workflow will fail if the number TYPE
alerts found is greater than MAX_ALERT_TYPE
.
Known Issue: If action runs immediately after the SARIF file upload (either an action) the results may be delayed. Haven't fully determined the cause but it seems the processing of the SARIF file is asychronous. Try to run the action as later as possible.This no longer happens unless you have set the parameterwait-for-processing
to false.
Alternatively you can also configure the severity of alerts that will issue a failed check and then combine this with branch protection rules to prevent pull requests from being completed.
- uses: tspascoal/fail-workflow-on-alerts-action@v0
id: alerts
with:
max_errors: 10 # optional. Skip or -1 to ignore alerts
max_warnings: 100 # optional. Skip or -1 to ignore alerts
max_notes: 1000 # optional. Skip or -1 to ignore alerts
max_unknowns: 5 # optional. Skip or -1 to ignore alerts
max_none: 3 # optional. Skip or -1 to ignore alerts
- run: |
echo number errors ${{ steps.alerts.outputs.error }}
echo number warnings ${{ steps.alerts.outputs.warning }}
echo number notes ${{ steps.alerts.outputs.note }}
An alternate method, is to look directly at the Sarif file generated by codeql (or any other scanning tool) and fail workflow if there are issues. This method has the disadvantage of not ignoring alerts that you have dismissed in the UI as not important.
This method is described here.
In case you want to generate a nice PDF report with security finds you can use the GitHub Security Report Action action.