From 3300a208d7b22c76517aa7c9db11b548c9b02ed7 Mon Sep 17 00:00:00 2001 From: Julien Poissonnier Date: Tue, 17 Dec 2024 16:10:15 +0100 Subject: [PATCH] fix filtering when there are no issues --- .github/workflows/snyk-scan.yml | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml index 1a3d54f..b32302f 100644 --- a/.github/workflows/snyk-scan.yml +++ b/.github/workflows/snyk-scan.yml @@ -38,9 +38,11 @@ jobs: image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 args: --severity-threshold=high --file=docker/pulumi/Dockerfile - name: Filter Sarif File - # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. + # GitHub Code Scanning does not allow more than 20 runs per file. We + # filter out empty runs to avoid this limit. Note that the file needs to + # include at least one run. run: | - python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' + python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); runs = [run for run in sarif["runs"] if len(run["results"]) > 0]; sarif["runs"] = runs if len(runs) > 0 else [sarif["runs"][0]]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: @@ -67,9 +69,11 @@ jobs: image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64 args: --severity-threshold=high --file=docker/pulumi/Dockerfile - name: Filter Sarif File - # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. + # GitHub Code Scanning does not allow more than 20 runs per file. We + # filter out empty runs to avoid this limit. Note that the file needs to + # include at least one run. run: | - python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' + python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); runs = [run for run in sarif["runs"] if len(run["results"]) > 0]; sarif["runs"] = runs if len(runs) > 0 else [sarif["runs"][0]]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: @@ -97,9 +101,11 @@ jobs: image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }} args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }} - name: Filter Sarif File - # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. + # GitHub Code Scanning does not allow more than 20 runs per file. We + # filter out empty runs to avoid this limit. Note that the file needs to + # include at least one run. run: | - python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' + python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); runs = [run for run in sarif["runs"] if len(run["results"]) > 0]; sarif["runs"] = runs if len(runs) > 0 else [sarif["runs"][0]]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: @@ -140,9 +146,11 @@ jobs: image: ${{ env.IMAGE_NAME }} args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }} - name: Filter Sarif File - # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. + # GitHub Code Scanning does not allow more than 20 runs per file. We + # filter out empty runs to avoid this limit. Note that the file needs to + # include at least one run. run: | - python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' + python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); runs = [run for run in sarif["runs"] if len(run["results"]) > 0]; sarif["runs"] = runs if len(runs) > 0 else [sarif["runs"][0]]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: @@ -169,9 +177,11 @@ jobs: image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64 - name: Filter Sarif File - # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. + # GitHub Code Scanning does not allow more than 20 runs per file. We + # filter out empty runs to avoid this limit. Note that the file needs to + # include at least one run. run: | - python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' + python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); runs = [run for run in sarif["runs"] if len(run["results"]) > 0]; sarif["runs"] = runs if len(runs) > 0 else [sarif["runs"][0]]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: