0

I'm having a GH-action which checks out source code, builds it, codeQL-checks it (+uploads the sarif results) and then publishes the built artifact to artifactory.

Hoewever, I would need to abort the publishing to our repo if there were vulnerabilities found by the github/codeql-action/analyze@v2 job. Only push if everything is ok.

Is this possible? Any way to access the scanning results inside the same running action workflow?

Toni Kanoni
  • 2,265
  • 4
  • 23
  • 29
  • Can you simply not check the output file and decide on the basis of its contents before uploading? – Azeem Mar 30 '23 at 17:10
  • @Azeem That's what I want to achieve, I need to somehow know about the results of the analysis before uploading – Toni Kanoni Apr 04 '23 at 10:46
  • Looks like SARIF is similar to JSON. You can use `jq` to check the results and then make decisions accordingly. If you have a sample SARIF file with vulnerabilities, please include that in your question. See [SARIF support for code scanning](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning). – Azeem Apr 04 '23 at 11:24

1 Answers1

0

As CodeQL documentation states:

By default, only alerts with the severity level of Error or security severity level of Critical or High will cause a pull request check failure.

You can configure your repository settings to fail on security alerts with the severity of Medium

repo settings

Then scroll down to Pull request check failure under Protection rules:

Pull request check failure

Then set the levels you want

severity levels

See more:

Fcmam5
  • 4,888
  • 1
  • 16
  • 33
  • Thank you for the hint about severity! Though I am here not talking about Pull Requests, but really checking the results inside the GH-action workflow. I guess this is not possible? – Toni Kanoni Mar 31 '23 at 09:17