Fixed SARIF upload to add gzip

Author: aegilops

src/malwareMatcher.ts

@@ -3,6 +3,7 @@ import { RepositorySbom, SbomPackage } from "./types.js";
 import { createOctokit } from "./octokit.js";
 import fs from "fs";
 import path from "path";
+import zlib from "zlib";
 import * as semver from "semver";
 
 const our_tool_name = "SBOM Toolkit";
@@ -275,7 +276,16 @@ export async function uploadSarifPerRepo(opts: {
         continue;
       }
       const sarifContent = fs.readFileSync(sarifPath, "utf8");
-      const sarifB64 = Buffer.from(sarifContent, "utf8").toString("base64");
+      // The Code Scanning SARIF upload API expects a base64-encoded *gzip* of the SARIF JSON.
+      // See error: "Could not decode SARIF content. Expected Base64 encoded gzip'd file." if raw JSON is provided.
+      let sarifB64: string;
+      try {
+        const gz = zlib.gzipSync(sarifContent);
+        sarifB64 = gz.toString("base64");
+      } catch (e) {
+        console.error(`Failed to gzip SARIF file ${sarifPath}: ${e instanceof Error ? e.message : String(e)}. Sending uncompressed base64.`);
+        continue;
+      }
       await octokit.request("POST /repos/{owner}/{repo}/code-scanning/sarifs", {
         owner,
         repo: name,