Skip to content

Produce separate SARIF file for quality-queries alerts #2935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Produce separate SARIF file for quality-queries alerts #2935

wants to merge 8 commits into from

Conversation

mbg
Copy link
Member

@mbg mbg commented Jun 16, 2025
edited
Loading

Follows on from #2917.

This PR modifies the action to produce separate SARIF files for code quality queries (as specified as arguments to the quality-queries input) and uploads them to the code quality API. The approach here is that:

  • We make an additional call to database interpret-results for queries that were specified as arguments to the quality-queries input (if any). This results in SARIF files for those queries.
  • We then upload them to the CQ API endpoint.

Notes

  • The changes aim to be as backwards-compatible as possible. That includes:
    • We don't (yet) modify the existing SARIF files that are uploaded to the code scanning API to exclude results for quality-queries alerts.
    • SARIF files are output to the same place as before (e.g. as opposed to having separate subdirectories for security and quality SARIFs)

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@mbg mbg force-pushed the mbg/interpret-cq-results branch from 7dd430e to 87b6687 Compare June 16, 2025 16:32
@mbg mbg force-pushed the mbg/interpret-cq-results branch from 87b6687 to fe76653 Compare June 17, 2025 13:37
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 17, 2025
View reviewed changes
src/upload-lib.ts
Comment on lines +342 to +346
const response = await client.request(target, {
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
data: payload,
});

Check warning

Code scanning / CodeQL

File data in outbound network request

Outbound network request depends on [file data](1).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mbg