Skip to content

CI: switch to scan action #372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gilescope merged 9 commits into from
Dec 29, 2025
Merged

CI: switch to scan action #372

gilescope merged 9 commits into from
Dec 29, 2025

Conversation

@gilescope
Copy link
Contributor

@gilescope gilescope commented Dec 16, 2025
edited
Loading

This replaces the closed source checkmarx scan action with one using a composite of open source scanners. It should run without issues on contributers PRs.

Uses midnightntwrk/upload-sarif-github-action#43

@gilescope gilescope requested review from a team as code owners December 16, 2025 10:00
@github-advanced-security
Copy link

github-advanced-security bot commented Dec 16, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

2 similar comments
@github-advanced-security
Copy link

github-advanced-security bot commented Dec 16, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@github-advanced-security
Copy link

github-advanced-security bot commented Dec 16, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 16, 2025
View reviewed changes
@gilescope gilescope enabled auto-merge (squash) December 27, 2025 08:32
@cosmir17
fix(ci): post-process cargo-deny SARIF for valid format
61c8bec 
cargo-deny produces SARIF with snippet/message fields as strings,
but the SARIF spec requires them to be objects with a text property.
This causes GitHub to reject the upload.

Add jq post-processing step to transform string values into proper
{"text": "value"} objects before upload.
@cosmir17
fix(ci): add unique categories for SARIF uploads (#404)
573ca4f 
GitHub's CodeQL upload-sarif action requires each SARIF file to have
a unique category when uploading multiple files. Split the single
batch upload into separate uploads with distinct categories:
- cargo-deny
- npm-audit-local-environment
- npm-audit-toolkit-js
- npm-audit-ui-tests
- npm-audit-ui
chrisferry
chrisferry approved these changes Dec 28, 2025
View reviewed changes
Copy link
Contributor

@chrisferry chrisferry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 lgtm

cosmir17
cosmir17 approved these changes Dec 28, 2025
View reviewed changes
Copy link
Contributor

@cosmir17 cosmir17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

gilescope
gilescope commented Dec 29, 2025
View reviewed changes
@gilescope gilescope merged commit 660e5dc into main Dec 29, 2025
35 checks passed
@gilescope gilescope deleted the giles-decheckmarx branch December 29, 2025 07:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisferry chrisferry chrisferry approved these changes

@cosmir17 cosmir17 cosmir17 approved these changes

Assignees

No one assigned

Labels

non-functional-change skip-changes-check-all

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gilescope @chrisferry @cosmir17 @m2ux