Create an option to skip/disable upload to code scanning (#702)

Fixes #701

.github/workflows/osv-scanner-reusable-pr.yml

@@ -32,6 +32,11 @@ on:
         description: "File name of the result SARIF file"
         type: string
         default: results.sarif
+      upload-sarif:
+        description: "Whether to upload to Security > Code Scanning"
+        type: boolean
+        required: false
+        default: true
 
 jobs:
   scan-pr:
@@ -72,29 +77,29 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        if: '!cancelled()'
+        if: "!cancelled()"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: ${{ inputs.results-file-name }}
           retention-days: 5
       - name: "Upload old scan json results"
-        if: '!cancelled()'
+        if: "!cancelled()"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: old-json-results
           path: old-results.json
           retention-days: 5
       - name: "Upload new scan json results"
-        if: '!cancelled()'
+        if: "!cancelled()"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: new-json-results
           path: new-results.json
           retention-days: 5
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        if: '!cancelled()'
+        if: ${{ !cancelled() && inputs.upload-sarif == true }}
         uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: ${{ inputs.results-file-name }}

.github/workflows/osv-scanner-reusable.yml

@@ -37,6 +37,11 @@ on:
         required: false
         default: ""
         type: string
+      upload-sarif:
+        description: "Whether to upload to Security > Code Scanning"
+        type: boolean
+        required: false
+        default: true
 
 jobs:
   osv-scan:
@@ -69,15 +74,15 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        if: '!cancelled()'
+        if: "!cancelled()"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: ${{ inputs.results-file-name }}
           retention-days: 5
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        if: '!cancelled()'
+        if: "${{ !cancelled() && inputs.upload-sarif == true }}"
         uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: ${{ inputs.results-file-name }}

docs/github-action.md

@@ -73,6 +73,7 @@ Results may be viewed by clicking on the details of the failed action, either fr
   Default: `results.sarif`
 - `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning.
   If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)).
+- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.
 
 <details markdown="block">
 <summary>