@security-alert/sarif-to-comment

@security-alert/sarif-to-comment

Post comment to GitHub issue/pull requests.

Purpose

It aims to post CodeQL result to GitHub Issue as comment.

It optimizes the formatter of SARIF for SARIF output — CodeQL.

Install

Install with npm:

npm install @security-alert/sarif-to-comment

Usage

Usage
  $ npx @security-alert/sarif-to-comment <sarif-file-path>

Inputs
  <sarif-file-path> Path to sarif file path

Options
  --dryRun                      Dry-Run when it is enabled
  --token                       GitHub Token, or support environment variables - GITHUB_TOKEN=xxx
  --action                      Authentication mode for the token, defaults to PAT, if set, switches to Github Action
  --ruleDetails                 Include full JSON rule details in the markdown, might be too big for Github's API, defaults to false
  --simple                      Simplify the output to only give findings grouped by rule, adds helpURI if present
  --severity                    Filter output issues by their severity level, warning, error, note, none, set flag for each level      
  --failon                      Throw an exit error code 1 if an issue with that level was detected, warning, error, note, none, or all, set flag for each, NOT affected by severity filtering
  --commentUrl                  Post to comment URL. e.g. https://github.com/owner/repo/issues/85
  --title                       Specify a comment title for the report, optional
  --no-suppressedResults        Don't include suppressed results, that are in SARIF suppressions
  --sarifContentOwner           GitHub Owner name of sarif content result.  e.g. "owner"
  --sarifContentRepo            GitHub Repository name of sarif content result. e.g. "repo"
  --sarifContentBranch          GitHub Repository branch name of sarif content result. e.g. "master"
  --sarifContentSourceRoot      Base path to sarif scanned source. You can set CodeQL's sourceLocationPrefix as relative value if necessary

Examples
  # DryRun and preview it!
  $ GITHUB_TOKEN=xxx npx @security-alert/sarif-to-comment --commentUrl "https://github.com/owner/repo/issues/1" --sarifContentOwner "owner" --sarifContentRepo "repo" --sarifContentBranch "master" "./codeql_result.sarif"
  # Post It
  $ GITHUB_TOKEN=xxx npx @security-alert/sarif-to-comment --commentUrl "https://github.com/owner/repo/issues/1" --sarifContentOwner "owner" --sarifContentRepo "repo" --sarifContentBranch "master" "./codeql_result.sarif"
  # Set base path
  $ GITHUB_TOKEN=xxx npx @security-alert/sarif-to-comment --commentUrl "https://github.com/owner/another/issues/1" --sarifContentOwner "owner" --sarifContentRepo "repo" --sarifContentBranch "develop" --sarifContentSourceRoot "./basepath" "./codeql_result.sarif"
  # use HEAD sha for link
  $ GITHUB_TOKEN=xxx npx @security-alert/sarif-to-comment --commentUrl "https://github.com/owner/another/issues/1" --sarifContentOwner "owner" --sarifContentRepo "repo" ---sarifContentBranch `git rev-parse HEAD` "./codeql_result.sarif"

Examples

• https://github.com/security-alert/codeql-scan-example/issues/1

Changelog

See Releases page.

Running tests

Install devDependencies and Run npm test:

npm test

Contributing

Pull requests and stars are always welcome.

For bugs and feature requests, please create an issue.

• Fork it!
• Create your feature branch: git checkout -b my-new-feature
• Commit your changes: git commit -am 'Add some feature'
• Push to the branch: git push origin my-new-feature
• Submit a pull request :D

Author

• github/azu
• twitter/azu_re

License

MIT © azu