-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAST false positive: CodeQL steps in main workflow not detected #1580
Comments
I ran scorecard on your repo now and got:
Until you get all last 30 commits checked with CodeQL, you'll see the alert. Once the last 30 commits have CodeQL run on them, the alert will disappear. Is the message |
The '1 commit' is there because I added LGTM later on. The other 6 commits before that are all covered by CodeQL. The issue is that all 7 commits are covered by a SAST tool, not just the last one. |
Looking over the SAST step, I see it relies on Github search to detect workflows using the At fault is the Perhaps, instead of using code search, the plugin should load the workflow definition for each run attached to a PR (using the head_ref to get the right revision) and check if there is a |
Good catch. This will be fixed in #1487 which parses the action's yaml instead of using the search API. |
Just run into this - been using CodeQL (and LGTM prior to that) for ~2 years and Scorecard thinks 0 commits have been scanned. Any recommendation? |
Scorecard only looks back 30 commits, so it wouldn't detect that far back.
My guess is it's due to running when merged, but not in the PR before being merged (which as you point out can be slow):
The way scorecard looks for codeql in commits is by looking at the checks at the head commit of the associated PR.
There may be a way for us to grab the data from the merge commit, but I don't have the time to play around with it right this second. |
Thanks a lot for clarifying @spencerschrock! I (wrongly?) assumed that with our policy to squash and merge PRs then run CodeQL on them (squashed & merged commit) was sufficient for scorecard. I'm not a Go person but happy to learn and try helping if you could point out where to start/look ;-) Thanks!! |
Did some initial digging and the head commit associated to the PR has all the appropriate SAST checks, however the
Notes as I dig into this: https://gist.github.com/heitorlessa/04a4f1bd6b9c9185455c85ce77f13147 Areas that I need investigate
Command used to fetch check runs gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/aws-powertools/powertools-lambda-python/commits/ec9c45148a4228ddfb4717259246881c35d7261e/check-runs Excerpt of CodeQL Run {
"id": 14848337843,
"name": "Analyze",
"node_id": "CR_kwDODTo4k88AAAADdQensw",
"head_sha": "ec9c45148a4228ddfb4717259246881c35d7261e",
"external_id": "b9afb22f-0837-5d02-bc24-6c30aee08bcf",
"url": "https://api.github.com/repos/aws-powertools/powertools-lambda-python/check-runs/14848337843",
"html_url": "https://github.com/aws-powertools/powertools-lambda-python/actions/runs/5482980956/jobs/9988864866",
"details_url": "https://github.com/aws-powertools/powertools-lambda-python/actions/runs/5482980956/jobs/9988864866",
"status": "completed",
"conclusion": "success",
"started_at": "2023-07-07T05:09:37Z",
"completed_at": "2023-07-07T05:43:05Z",
"output": {
"title": null,
"summary": null,
"text": null,
"annotations_count": 0,
"annotations_url": "https://api.github.com/repos/aws-powertools/powertools-lambda-python/check-runs/14848337843/annotations"
},
"check_suite": {
"id": 14124947525
},
"app": {
"id": 15368,
"slug": "github-actions",
"node_id": "MDM6QXBwMTUzNjg=",
"owner": {
"login": "github",
"id": 9919,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjk5MTk=",
"avatar_url": "https://avatars.githubusercontent.com/u/9919?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/github",
"html_url": "https://github.com/github",
"followers_url": "https://api.github.com/users/github/followers",
"following_url": "https://api.github.com/users/github/following{/other_user}",
"gists_url": "https://api.github.com/users/github/gists{/gist_id}",
"starred_url": "https://api.github.com/users/github/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/github/subscriptions",
"organizations_url": "https://api.github.com/users/github/orgs",
"repos_url": "https://api.github.com/users/github/repos",
"events_url": "https://api.github.com/users/github/events{/privacy}",
"received_events_url": "https://api.github.com/users/github/received_events",
"type": "Organization",
"site_admin": false
},
"name": "GitHub Actions",
"description": "Automate your workflow from idea to production",
"external_url": "https://help.github.com/en/actions",
"html_url": "https://github.com/apps/github-actions",
"created_at": "2018-07-30T09:30:17Z",
"updated_at": "2019-12-10T19:04:12Z",
"permissions": {
"actions": "write",
"administration": "read",
"checks": "write",
"contents": "write",
"deployments": "write",
"discussions": "write",
"issues": "write",
"merge_queues": "write",
"metadata": "read",
"packages": "write",
"pages": "write",
"pull_requests": "write",
"repository_hooks": "write",
"repository_projects": "write",
"security_events": "write",
"statuses": "write",
"vulnerability_alerts": "read"
},
"events": [
"branch_protection_rule",
"check_run",
"check_suite",
"create",
"delete",
"deployment",
"deployment_status",
"discussion",
"discussion_comment",
"fork",
"gollum",
"issues",
"issue_comment",
"label",
"merge_group",
"milestone",
"page_build",
"project",
"project_card",
"project_column",
"public",
"pull_request",
"pull_request_review",
"pull_request_review_comment",
"push",
"registry_package",
"release",
"repository",
"repository_dispatch",
"status",
"watch",
"workflow_dispatch",
"workflow_run"
]
},
"pull_requests": [
{
"url": "https://api.github.com/repos/Pandinosaurus/aws-lambda-powertools-python/pulls/1",
"id": 1323586820,
"number": 1,
"head": {
"ref": "develop",
"sha": "50949b2d0af3933e88fb6f8623926edab7a39ee1",
"repo": {
"id": 221919379,
"url": "https://api.github.com/repos/aws-powertools/powertools-lambda-python",
"name": "powertools-lambda-python"
}
},
"base": {
"ref": "develop",
"sha": "0c16011a1c0486d3a9fcff16c283e465b0f3ffcd",
"repo": {
"id": 630920868,
"url": "https://api.github.com/repos/Pandinosaurus/aws-lambda-powertools-python",
"name": "aws-lambda-powertools-python"
}
}
},
{
"url": "https://api.github.com/repos/pecigonzalo/aws-lambda-powertools-python/pulls/29",
"id": 995612880,
"number": 29,
"head": {
"ref": "develop",
"sha": "50949b2d0af3933e88fb6f8623926edab7a39ee1",
"repo": {
"id": 221919379,
"url": "https://api.github.com/repos/aws-powertools/powertools-lambda-python",
"name": "powertools-lambda-python"
}
},
"base": {
"ref": "develop",
"sha": "6e37fcefdf239ea15d955c42d29209dcfb25eac7",
"repo": {
"id": 410796572,
"url": "https://api.github.com/repos/pecigonzalo/aws-lambda-powertools-python",
"name": "aws-lambda-powertools-python"
}
}
}
]
} |
Note: ec9c45148a4228ddfb4717259246881c35d7261e is the merge commit, not the head commit of the PR: When I re-run the api call with that commit sha (which is what scorecard currently does), the
We could likely add something that checked the merge commit too, but the difference in slug name would also need to be investigated:
|
My current build workflow clearly uses CodeQL steps:
but this is not being detected:
Perhaps the check needs to be updated?
To be explicit: PRs require the CodeQL checks to pass before they can be merged.
Possible cause: I removed the
github/codeql-action/autobuild
action as my repository doesn't require a compilation step.The text was updated successfully, but these errors were encountered: