GitHub action `v2.21.2` uses ` securego/gosec:2.21.1`docker image with broken SARIF output
Closed this issue · 5 comments
Summary
Problem described in #1214 still appears. GitHub action v2.21.2
still uses securego/gosec:2.21.1
docker image. The error with SARIF upload is the same.
UPD: securego/gosec@master
action uses docker image v2.21.2
, though issue with SARIF output still exists. (link to workflow run)
Steps to reproduce the behavior
Use securego/gosec:2.21.2
GitHub action against any repository with SARIF output upload to GitHub Advanced Security Dashboard.
gosec version
GitHub action securego/gosec@v2.21.2
.
Go version (output of 'go version')
No go setup has been performed.
Operating system / Environment
ubuntu-latest
default GitHub runner.
Expected behavior
GitHub action pulls securego/gosec:2.21.2
image.
Actual behavior
GitHub action pulls securego/gosec:2.21.1
image with broken SARIF output.
Action was updated to 2.21.2
Line 13 in 5f3194b
Also the sarif output was successfully uploaded in Github. See the output of https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216
@ccojocar Workflow uses securego/gosec@master
, see line 18.
Hi @ccojocar,
I kindly ask if you could consider reopening the issue, as it seems there might be an inconsistency with tag 2.21.2 of securego/gosec
.
Also the sarif output was successfully uploaded in Github. See the output of https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216
In your run, it appears that securego/gosec
is using the master
branch, see line 33 of the output https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216#step:1:37.
On our side, we're using the tag v2.21.2
, which seems to be pulling a previous version of the Docker image. Please, see line 33 from our run: https://github.com/wavesplatform/gowaves/actions/runs/10812421492/job/29994022318?pr=1492#step:1:37
I understand this issue was previously closed, but I would greatly appreciate it if you could take another look.
Thank you for your time and consideration!
Workflow uses securego/gosec@master, see line 18.
It is the action version from the master branch, but inside of that action is using gosec version 2.21.2 as I pointed above.