Note
This is an unofficial project created by Field Security Services, and is not officially supported by GitHub.
Warning
This method renames the CodeQL tool in the results, which breaks CodeQL Autofix and may affect other features of Code Scanning
This sample GitHub Actions workflow shows you how to enable filtering results from different GitHub Advanced Security Code Scanning runs in the GitHub UI using a workaround.
This is useful when dealing with monorepos that have code for several different projects in the same repository.
You can use this workflow modification to mark each project with a unique scanning tool name, and then filter the results in the GitHub Security tab by that tool to only show results for a specific project.
The SARIF (the format for the code scanning results) is edited before upload to Code Scanning, changing the tool name. CodeQL is also set up so that the content of the SARIF populates the Code Scanning UI correctly.
The unique tool name can then be used to filter results in the web user interface:
Note
This is an unofficial project created by Field Security Services, and is not officially supported by GitHub.
Warning
This method renames the CodeQL tool in the results, which breaks CodeQL Autofix and may affect other features of Code Scanning
To use this workaround, you need to make some modifications to your Actions workflow file that runs CodeQL.
This example uses a monorepo with Java code, but you can adapt it to your own monorepo.
Change the typical analyze
step from:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
to:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
upload: False
output: sarif-results
env:
# https://codeql.github.com/docs/codeql-cli/manual/database-analyze/#options
# add code snippet, query help and group rules by pack, to the SARIF file
CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"analyze":["--sarif-add-snippets","--sarif-add-query-help","--sarif-group-rules-by-pack"]}}'
# Rename CodeQL tool to allow filtering by workflow in Code Scanning
- name: Rename CodeQL tool
run: |
jq ".runs[0].tool.driver.name = \"CodeQL-${WORKFLOW_TAG}-${{matrix.language}}\"" sarif-results/${{ matrix.language }}.sarif > sarif-results/${{ matrix.language }}-edited.sarif
env:
# edit this tag to something unique to your workflow
WORKFLOW_TAG: "some-unique-tag" # this will name the tool 'CodeQL-some-unique-tag-java'
# Upload the CodeQL Analysis results
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif-results/${{ matrix.language }}-edited.sarif
This will rename the CodeQL tool in the SARIF file to include the workflow tag, and uploads the SARIF file to Code Scanning.
The analyze
step has some changes to ensure that the CodeQL results are displayed properly in the GitHub Advcanced Security UI.
See codeql_sample_workflow.yml
.
This repo also contains a very basic monorepo to show it in action on a "real" repo.
- GitHub Actions with
jq
on the runner (included by default on the standard GitHub hosted runners) - GitHub Advanced Security for private GitHub Enterprise repositories, or a public repository
- GitHub.com or GitHub Enterprise Server
This project is licensed under the terms of the MIT open source license. Please refer to the LICENSE for the full terms.
See CODEOWNERS for the list of maintainers.
See the SUPPORT file.
See the CHANGELOG, CONTRIBUTING, SECURITY, SUPPORT, CODE OF CONDUCT and PRIVACY files for more information.