Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sarif output #685

Open
ben-wilson-peak opened this issue Feb 5, 2024 · 5 comments
Open

Sarif output #685

ben-wilson-peak opened this issue Feb 5, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@ben-wilson-peak
Copy link

Hello, it would be great if the action was able to do SARIF output to better integrate with GH Advanced Security. Doing so would make the PR comment redundant and I believe would be more idiomatic with how the CodeQL ecosystem integrates.

@febuiles febuiles added the enhancement New feature or request label Feb 5, 2024
@jonjanego
Copy link
Contributor

Hi @ben-wilson-peak ! Could you elaborate a bit more on the workflow you're thinking of, for when you'd use a SARIF output after running the action?

@ben-wilson-peak
Copy link
Author

ben-wilson-peak commented Feb 5, 2024

Hi @ben-wilson-peak ! Could you elaborate a bit more on the workflow you're thinking of, for when you'd use a SARIF output after running the action?

Absolutely. I'd like to use it in lieu of the comment output. Personally I find the output to be a little useless. It conveys information but it's not a call for action.

It doesn't need to be SARIF really, I'm happy to change the title. I'm not sure of the functional difference between SARIF with advanced security and just line highlighting. Example here - https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#using-workflow-commands-to-access-toolkit-functions

Suggested fixes directly in the PR would be a killer feature but I understand adds complexity

@ben-wilson-peak
Copy link
Author

ignore that accidental close, somehow hit ctrl + enter 😆

@jonjanego
Copy link
Contributor

Thanks @ben-wilson-peak . Agree that there's some usability improvements we could do with the dependency review action to more actionable and contextual to the workflow run. We'll take this into advisement for future improvements!

As far as suggested fixes goes - take a look at using Dependabot to manage dependency updates

@ben-wilson-peak
Copy link
Author

Thanks @ben-wilson-peak . Agree that there's some usability improvements we could do with the dependency review action to more actionable and contextual to the workflow run. We'll take this into advisement for future improvements!

As far as suggested fixes goes - take a look at using Dependabot to manage dependency updates

Looking forward to it!

User story wise, we'd ideally like to avoid committing a change which introduces an issue to then have another PR to update the dependency. It would be better to block a bad dep being introduced at the source and patch it there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants