bug(sarif): output contains duplicate taxa items causing schema validation failureΒ #7588
Description
While running KICS with the --report-formats "sarif" option, the generated SARIF file contains duplicate taxa entries in runs[0].taxonomies[1].taxa. This causes schema validation errors and prevents the SARIF file from being uploaded to GitHub or other SARIF consumers.
We use KICS on Terraform IaC, and some results (specifically rule CWE-798) are being reported multiple times due to several @Microsoft.KeyVault(...) references, which are false positives in our case (the actual secrets are not hardcoded, they are securely referenced via Key Vault).
Error raised while validation:
instance.runs[0].taxonomies[1].taxa contains duplicate item
Error: Unable to upload "./results/results.sarif" as it is not valid SARIF
Steps to Reproduce the Problem
Run KICS with a Terraform file containing several @Microsoft.KeyVault(...) references like:
Specifications
KICS Version: v2.1.11 (used in our GitHub Action)
Platform: GitHub Actions / Ubuntu
SARIF Consumer: github/codeql-action/upload-sarif@v3