diff --git a/.github/workflows/osv-scanner-reusable-pr.yml b/.github/workflows/osv-scanner-reusable-pr.yml index 3deb344f52d..d4a41c5cb23 100644 --- a/.github/workflows/osv-scanner-reusable-pr.yml +++ b/.github/workflows/osv-scanner-reusable-pr.yml @@ -32,6 +32,11 @@ on: description: "File name of the result SARIF file" type: string default: results.sarif + upload-sarif: + description: "Whether to upload to Security > Code Scanning" + type: boolean + required: false + default: true jobs: scan-pr: @@ -72,21 +77,21 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - if: '!cancelled()' + if: "!cancelled()" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: ${{ inputs.results-file-name }} retention-days: 5 - name: "Upload old scan json results" - if: '!cancelled()' + if: "!cancelled()" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: old-json-results path: old-results.json retention-days: 5 - name: "Upload new scan json results" - if: '!cancelled()' + if: "!cancelled()" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: new-json-results @@ -94,7 +99,7 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - if: '!cancelled()' + if: ${{ !cancelled() && inputs.upload-sarif == true }} uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: sarif_file: ${{ inputs.results-file-name }} diff --git a/.github/workflows/osv-scanner-reusable.yml b/.github/workflows/osv-scanner-reusable.yml index f1824d3eddd..74790d2b167 100644 --- a/.github/workflows/osv-scanner-reusable.yml +++ b/.github/workflows/osv-scanner-reusable.yml @@ -37,6 +37,11 @@ on: required: false default: "" type: string + upload-sarif: + description: "Whether to upload to Security > Code Scanning" + type: boolean + required: false + default: true jobs: osv-scan: @@ -69,7 +74,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - if: '!cancelled()' + if: "!cancelled()" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file @@ -77,7 +82,7 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - if: '!cancelled()' + if: "${{ !cancelled() && inputs.upload-sarif == true }}" uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: sarif_file: ${{ inputs.results-file-name }} diff --git a/docs/github-action.md b/docs/github-action.md index 601b71fcad7..54993228dfc 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -73,6 +73,7 @@ Results may be viewed by clicking on the details of the failed action, either fr Default: `results.sarif` - `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage#specify-lockfiles)). +- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.