You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md
+25-1Lines changed: 25 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,6 +71,29 @@ SARIF files support both rules and results. The information stored in these elem
71
71
72
72
When you compare SARIF files generated by analyzing different codebases with the same tool and rules, you should see differences in the results of the analyses but not in the rules.
73
73
74
+
## Specifying the root for source files
75
+
76
+
{% data variables.product.prodname_code_scanning_capc %} interprets results that are reported with relative paths as relative to the root of the repository analyzed. If a result contains an absolute URI, the URI is converted to a relative URI. The relative URI can then be matched against a file committed to the repository.
77
+
78
+
You can provide the source root for conversion from absolute to relative URIs in one of the following ways.
79
+
80
+
-[`checkout_path`](https://github.com/github/codeql-action/blob/c2c0a2908e95769d01b907f9930050ecb5cf050d/analyze/action.yml#L44-L47) input to the `github/codeql-action/analyze` action
81
+
-`checkout_uri` parameter to the SARIF upload API endpoint. For more information, see "[{% data variables.product.prodname_code_scanning_capc %}](/rest/code-scanning#upload-an-analysis-as-sarif-data)" in the REST API documentation
82
+
-[`invocation.workingDirectory.uri`](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc9244365) property in the SARIF file
83
+
84
+
If you provide a source root, any location of an artifact specified using an absolute URI must use the same URI scheme. If there is a mismatch between the URI scheme for the source root and one or more of the absolute URIs, the upload is rejected.
85
+
86
+
For example, a SARIF file is uploaded using a source root of `file:///github/workspace`.
87
+
88
+
```
89
+
# Conversion of absolute URIs to relative URIs for location artifacts
The file is successfully uploaded as both absolute URIs use the same URI scheme as the source root.
96
+
74
97
## Validating your SARIF file
75
98
76
99
<!--UI-LINK: When code scanning fails, the error banner shown in the Security > Code scanning alerts view links to this anchor.-->
@@ -107,6 +130,7 @@ Any valid SARIF 2.1.0 output file can be uploaded, however, {% data variables.pr
107
130
|----|----|
108
131
|`tool.driver`|**Required.** A `toolComponent` object that describes the analysis tool. For more information, see the [`toolComponent` object](#toolcomponent-object). |
109
132
|`tool.extensions[]`|**Optional.** An array of `toolComponent` objects that represent any plugins or extensions used by the tool during analysis. For more information, see the [`toolComponent` object](#toolcomponent-object). |
133
+
|`invocation.workingDirectory.uri`|**Optional.** This field is used only when `checkout_uri` (SARIF upload API only) or `checkout_path` (% data variables.product.prodname_actions %} only) are not provided. The value is used to convert absolute URIs used in [`physicalLocation` objects](#physicallocation-object) to relative URIs. For more information, see "[Specifying the root for source files](#specifying-the-root-for-source-files)."|
110
134
| `results[]` | **Required.** The results of the analysis tool. {% data variables.product.prodname_code_scanning_capc %} displays the results on {% data variables.product.prodname_dotcom %}. For more information, see the [`result` object](#result-object).
111
135
112
136
### `toolComponent` object
@@ -168,7 +192,7 @@ A location within a programming artifact, such as a file in the repository or a
168
192
169
193
| Name | Description |
170
194
|----|----|
171
-
| `artifactLocation.uri`| **Required.** A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. If the URI is relative, it should be relative to the root of the {% data variables.product.prodname_dotcom %} repository being analyzed. For example, main.js or src/script.js are relative to the root of the repository. If the URI is absolute, {% data variables.product.prodname_code_scanning %} can use the URI to checkout the artifact and match up files in the repository. For example, `https://github.com/ghost/example/blob/00/src/promiseUtils.js`.
195
+
|`artifactLocation.uri`|**Required.** A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. For the best results we recommend that this is a relative path from the root of the GitHub repository being analyzed. For example, `src/main.js`. For more information about artifact URIs, see "[Specifying the root for source files](#specifying-the-root-for-source-files)."|
172
196
| `region.startLine` | **Required.** The line number of the first character in the region.
173
197
| `region.startColumn` | **Required.** The column number of the first character in the region.
174
198
| `region.endLine` | **Required.** The line number of the last character in the region.
0 commit comments