Cannot view number of code scanning alerts

I have discovered a workaround to filter two sets of CodeQL results, one that uses security queries and one that follows our coding standard. The workaround essentially takes the CodeQL sarif file and renames the name of the tool, so users can filter the code scanning alerts by tool name. The yml file can be seen here: cFS/codeql-reusable.yml at 2e0220ff41a23ed18616dd5f0bcd0d15805bb950 · ArielSAdams/cFS · GitHub

Here is the main snippet of the yml file:

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
          add-snippets: true
          category: ${{matrix.scan-type}}
          upload: false
          output: CodeQL-Sarif-${{ matrix.scan-type }}
      - name: Rename Sarif
        run: |
          mv CodeQL-Sarif-${{ matrix.scan-type }}/cpp.sarif CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
          sed -i 's/"name" : "CodeQL"/"name" : "CodeQL-${{ matrix.scan-type }}"/g' CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
      - name: Archive Sarif
        uses: actions/upload-artifact@v2
          name: CodeQL-Sarif-${{ matrix.scan-type }}
          path: CodeQL-Sarif-${{ matrix.scan-type }}

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v1
          sarif_file: CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif

The issue with this workaround is that the number of code scanning alerts are not visible despite only changing the tool name. Why does this occur? What is a solution to showing the number of code scanning alerts?

Here is the code scanning alerts now:

Unfortunately the count in that dropdown currently only reflects alerts on the default branch, and it seems in your case there are only alerts for a test branch as yet.

We’re actively reviewing this behaviour though, and your explanation of how this is confusing in your situation is much appreciated!

1 Like