/filter-sarif

GitHub Action for filtering Code Scanning alerts by path and id

Primary LanguageJavaApache License 2.0Apache-2.0

filter-sarif

Takes a SARIF file and a list of inclusion and exclusion patterns as input and removes alerts from the SARIF file according to those patterns.

Example

The following example removes all alerts from all Java test files:

name: "Filter SARIF"
on:
  push:
    branches: [master]

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: [ 'java' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
        output: sarif-results
        upload: failure-only

    - name: filter-sarif
      uses: advanced-security/filter-sarif@v1
      with:
        patterns: |
          +**/*.java
          -**/*Test*.java
        input: sarif-results/java.sarif
        output: sarif-results/java.sarif

    - name: Upload SARIF
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: sarif-results/java.sarif

    - name: Upload loc as a Build Artifact
      uses: actions/upload-artifact@v4
      with:
        name: sarif-results
        path: sarif-results
        retention-days: 1

Note how we provided upload: failure-only and output: sarif-results to the analyze action. That way we can filter the SARIF with the filter-sarif action before uploading it via upload-sarif. Diagnostic output is still uploaded and visible on the tool status page if the run fails. Finally, we also attach the resulting SARIF file to the build, which is convenient for later inspection.

Patterns

Each pattern line is of the form:

[+/-]<file pattern>[:<rule pattern>]

for example:

-**/*Test*.java:**               # exclusion pattern: remove all alerts from all Java test files
-**/*Test*.java                  # ditto, short form of the line above
+**/*.java:java/sql-injection    # inclusion pattern: This line has precedence over the first two
                                 # and thus allows alerts of type "java/sql-injection"
**/*.java:java/sql-injection     # ditto, the "+" in inclusion patterns is optional
**                               # allow all alerts in all files (reverses all previous lines)

A minimal config to allow only files in the path myproject/ is:

-**/*                            # exclusion pattern: DENY ALL
myproject/**/*                   # inclusion pattern: allows alerts in the path 'myproject/'
  • The path separator character in patterns is always /, independent of the platform the code is running on and independent of the paths in the SARIF file.
  • * matches any character, except a path separator
  • ** matches any character and is only allowed between path separators, e.g. /**/file.txt, **/file.txt or **. NOT allowed: **.txt, /etc**
  • The rule pattern is optional. If omitted, it will apply to alerts of all types.
  • Subsequent lines override earlier ones. By default all alerts are included.
  • If you need to use the literals +, -, \ or : in your pattern, you can escape them with \, e.g. \-this/is/an/inclusion/file/pattern\:with-a-semicolon:and/a/rule/pattern/with/a/\\/backslash. For + and -, this is only necessary if they appear at the beginning of the pattern line.