Skip to main content

此版本的 GitHub Enterprise 已停止服务 2022-06-03. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

Uploading a SARIF file to GitHub

您可以将 SARIF 文件从第三方静态分析工具上� 到 GitHub,并且在仓库中看到 代� �扫描 来自这些工具的警报。

People with write permissions to a repository can upload 代� �扫描 data generated outside GitHub.

代� �扫描 适用于启用了 GitHub Advanced Security 的组织拥有的仓库。 更多信息请参阅“关于 GitHub Advanced Security”。

Note: Your site administrator must enable 代� �扫描 for 您的 GitHub Enterprise Server 实例 before you can use this feature. For more information, see "Configuring 代� �扫描 for your appliance."

About SARIF file uploads for 代� �扫描

GitHub creates 代� �扫描 alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or GitHub Actions. For more information, see "Managing 代� �扫描 alerts for your repository."

You can generate SARIF files using many static analysis security testing tools, including CodeQL. The results must use SARIF version 2.1.0. For more information, see "SARIF support for 代� �扫描."

You can upload the results using GitHub Actions, the 代� �扫描 API, the CodeQL runner, or the CodeQL CLI. The best upload method will depend on how you generate the SARIF file, for example, if you use:

  • GitHub Actions to run the CodeQL action, there is no further action required. The CodeQL action uploads the SARIF file automatically when it completes analysis.
  • GitHub Actions to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results (see below).
  • The CodeQL CLI to run 代� �扫描 in your CI system, you can use the CLI to upload results to GitHub (for more information, see "Installing CodeQL CLI in your CI system").
  • The CodeQL runner, to run 代� �扫描 in your CI system, by default the runner automatically uploads results to GitHub on completion. If you block the automatic upload, when you are ready to upload results you can use the upload command (for more information, see "Running CodeQL runner in your CI system").
  • A tool that generates results as an artifact outside of your repository, you can use the 代� �扫描 API to upload the file (for more information, see "Upload an analysis as SARIF data").

Uploading a 代� �扫描 analysis with GitHub Actions

To use GitHub Actions to upload a third-party SARIF file to a repository, you'll need a workflow. For more information, see "Learn GitHub Actions."

Your workflow will need to use the upload-sarif action, which is part of the github/codeql-action repository. It has input parameters that you can use to configure the upload. The main input parameters you'll use are:

  • sarif-file, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository.
  • category (optional), which assigns a category for results in the SARIF file. This enables you to analyze the same commit in multiple ways and review the results using the 代� �扫描 views in GitHub. For example, you can analyze using multiple tools, and in mono-repos, you can analyze different slices of the repository based on the subset of changed files.

For more information see the upload-sarif action.

The upload-sarif action can be configured to run when the push and scheduled event occur. For more information about GitHub Actions events, see "Events that trigger workflows."

If your SARIF file doesn't include partialFingerprints, the upload-sarif action will calculate the partialFingerprints field for you and attempt to prevent duplicate alerts. GitHub can only create partialFingerprints when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see "About SARIF support for code scanning."

注意:

  • SAIF 上� 支持每次上� 最多 5000 个结果。 超过此限制的任何结果均被忽略。 如果工具产生太多结果,则应更新配置,以专注于最重要的规则或查询的结果。

  • 对于每次上� ,SARIF 上� 支持最大 10 MB 的 gzip压缩 SARIF 文件。 任何超过此限制的上� 都将被拒绝。 如果 SARIF 文件由于包含太多结果而太大,则应更新配置以专注于最重要的规则或查询的结果。

Example workflow for SARIF files generated outside of a repository

You can create a new workflow that uploads SARIF files after you commit them to your repository. This is useful when the SARIF file is generated as an artifact outside of your repository.

This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "Events that trigger workflows."

This workflow uploads the results.sarif file located in the root of the repository. For more information about creating a workflow file, see "Learn GitHub Actions."

Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called sarif-output and set the action's input parameter sarif_file to sarif-output. Note that if you upload a directory, each SARIF file must include a unique runAutomationDetails.id to define the category for the results. For more information, see "runAutomationDetails object."

name: "Upload SARIF"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Thursday at 15:45 UTC.
on:
  push:
  schedule:
    - cron: '45 15 * * 4'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # This step checks out a copy of your repository.
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif
          # Optional category for the results
          # Used to differentiate multiple results for one commit
          category: my-analysis-tool

Example workflow that runs the ESLint analysis tool

If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the upload-sarif action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a GitHub Actions template. For more information, see the "GitHub Actions quickstart."

This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "Events that trigger workflows."

The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The Run ESLint step runs the ESLint tool and outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-sarif action. For more information about creating a workflow file, see "Introduction to GitHub Actions."

name: "ESLint analysis"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Wednesday at 15:45 UTC.
on:
  push:
  schedule:
    - cron: '45 15 * * 3'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run npm install
        run: npm install
      # Runs the ESlint code analysis
      - name: Run ESLint
        # eslint exits 1 if it finds anything to report
        run: node_modules/.bin/eslint build docs lib script spec-main -f node_modules/@microsoft/eslint-formatter-sarif/sarif.js -o results.sarif || true
      # Uploads results.sarif to GitHub repository using the upload-sarif action
      - uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

Further reading