Skip to content

Commit 83b21c6

Browse files
david-waltermiredavid-waltermire
committed
fix: add security-severity column to CodeQL findings table
Display security-severity score from rule definitions in the CodeQL findings summary table, providing better visibility when findings trigger build failures due to high security-severity (>= 7.0).
1 parent f9770de commit 83b21c6

File tree

1 file changed

+10
-3
lines changed

1 file changed

+10
-3
lines changed

.github/workflows/build.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -172,9 +172,16 @@ jobs:
172172
echo "<details>" >> $GITHUB_STEP_SUMMARY
173173
echo "<summary>View $RESULTS finding(s)</summary>" >> $GITHUB_STEP_SUMMARY
174174
echo "" >> $GITHUB_STEP_SUMMARY
175-
echo "| Severity | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
176-
echo "|----------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
177-
jq -r '.runs[0].results[] | "| \(.level // "warning") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:80]) |"' "$sarif" >> $GITHUB_STEP_SUMMARY
175+
echo "| Level | Security | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
176+
echo "|-------|----------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
177+
# Join results with rules to get security-severity (which is on rule definitions, not results)
178+
jq -r '
179+
(.runs[0].tool.driver.rules // []) as $driver_rules |
180+
([.runs[0].tool.extensions[]?.rules // []] | add // []) as $ext_rules |
181+
($driver_rules + $ext_rules | map({(.id): (.properties["security-severity"] // null)}) | add // {}) as $severities |
182+
.runs[0].results[] |
183+
"| \(.level // "warning") | \($severities[.ruleId] // "N/A") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:80]) |"
184+
' "$sarif" >> $GITHUB_STEP_SUMMARY
178185
echo "" >> $GITHUB_STEP_SUMMARY
179186
echo "</details>" >> $GITHUB_STEP_SUMMARY
180187
fi

0 commit comments

Comments
 (0)