Skip to content

Commit 441aa92

Browse files
david-waltermiredavid-waltermire
committed
fix: check CodeQL security-severity property for high/critical findings
Also checks level == error. Security findings use security-severity >= 7.0.
1 parent ba8b575 commit 441aa92

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

.github/workflows/build.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -262,7 +262,8 @@ jobs:
262262
if [ -d "codeql-results" ]; then
263263
for sarif in codeql-results/*.sarif; do
264264
if [ -f "$sarif" ]; then
265-
CODEQL_CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error")] | length' "$sarif" 2>/dev/null || echo "0")
265+
# Check for error level OR security-severity >= 7.0 (high/critical)
266+
CODEQL_CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error" or ((.properties["security-severity"] // "0") | tonumber >= 7.0))] | length' "$sarif" 2>/dev/null || echo "0")
266267
if [ "$CODEQL_CRITICAL" -gt 0 ]; then
267268
echo "::error::CodeQL found $CODEQL_CRITICAL critical/high severity issue(s)"
268269
FAILED=true

0 commit comments

Comments
 (0)