GitHub code scanning error is lost after commit a single file

40 views Asked by At

I'm working on a Github code analysis module. My objective is to perform some code analysis on all coded and show results on security page.

Here is what I do,

  1. Initially, run scanning for all the files and upload SARIF files to GitHub.
  2. Then for each committed files we run code analysis and upload its SARIF file.

Everything run fine initially. For example, if there are 10 files and there are 20 security issues. It list 20 errors in security tab.

But if I commit, any file after modification. Then all the 20 errors are closed and only 1-2 errors from the committed file is displayed in GitHub security tab.

Please help how I can retain errors from all other files we generated initially.

Thank you in advance for your help and expertise.

1

There are 1 answers

0
felickz On

Code Scanning needs to be run against the same set of files each time. A comprehensive database representation of your code base is generated each time you run the tooling. If you were to exclude any files, this may lead to lost data flows or sources/sinks that are no longer in the CodeQL database. In any of those scenarios this may further lead to a vulnerability alert not being detected.

If you do end up creating multiple scanning configurations they should still have a deterministic set of files they are scanning. Ensure that you are using distinct SARIF category for any variations of the scan configurations. For the given repo/tool(codeql)/configuration - if an alert is not present in a subsequent scan it will be closed. If it is then again present in another subsequent scan, it would be re-opened.

See: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning?learn=code_security_integration#uploading-more-than-one-sarif-file-for-a-commit