Skip to content

Commit

Permalink
ci: update scorecard to skip false positive (#679)
Browse files Browse the repository at this point in the history
  • Loading branch information
jackwotherspoon authored Mar 28, 2023
1 parent 4bb8751 commit af0273a
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,16 @@ jobs:
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true


- name: Filter SARIF to skip false positives
# filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions
env:
SCORECARD_SKIPPED_RULE_IDS: "DangerousWorkflowID"
run: |
SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")')
# Trim the SARIF file to remove false positive detections
cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
Expand All @@ -65,4 +74,4 @@ jobs:
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9
with:
sarif_file: results.sarif
sarif_file: resultsFiltered.sarif

0 comments on commit af0273a

Please sign in to comment.