Support for SARIF "kind"

[candrews]

Select Topic Area

Product Feedback

Body

GitHub Code Scanning's SARIF importer does not implement SARIF's kind which results in many false alerts.

kind is how SARIF indicates if a result passed or not. Currently, GitHub treats all results as failed, creating alerts for all of them. That's very problematic for SARIF files that record all tests run (including those that passed), as in that case, false alerts are created for the results that passed.

The values for kind and what I think GitHub should do in each case are:

• pass should not record a Code Scanning alert
• open should behave the same as fail (record a Code Scanning alert)
• informational should not record a Code Scanning alert
• notApplicable should not record a Code Scanning alert
• review should behave the same as fail (record a Code Scanning alert)
• fail (default is kind is no specified) should record a Code Scanning alert

Can GitHub please add support for kind?

Here's an example of a SARIF file that uses kind: openscap-report.sarif.txt
It currently imports into GitHub Code Scanning as 657 alerts; it should only result in 5 alerts.

[candrews]

FYI @michaelcfanning @Amndeep7 @aaronlippold

I believe you may like to be aware of this issue and perhaps even escalate it with your contacts?

If GitHub can support kind, it will really help users fully leverage heimdall and SARIF for some powerful use cases.

[aaronlippold]

Let's set up a call to go over this

[candrews]

As a workaround, the results in the SARIF file with kind values that shouldn't result in an alert can be filtered out using jq, like this:
jq 'del(.runs[].results[] | select(.kind == "notApplicable" or .kind == "pass" or .kind == "informational" ))' openscap-report.sarif

[AlonaHlobina]

Hello @candrews,
Thank you for reaching out to us. We understand that the current limitations are causing inconvenience for you and we are sorry about that. Unfortunately, the team responsible for code scanning is currently dealing with a heavy workload and unable to address this issue. However, please be informed that we have placed this improvement request on our priority list and will work on it as soon as we have the resources to do so. We appreciate your patience and understanding in this matter. In the meantime, we hope that the workaround you described will help you overcome this inconvenience.

[M-Remi]

Hello, I am having same issue. When I try to access result.Kind, in an artifact I am developing with c#, it is always returning fail even when the value is not fail in the SARIF file. Is there a way around this or an update I am missing, SARIF version is version": "2.1.0". Thank you

[lyager]

+1 on this. This is the reason for us paying for the security center.