Fixed code scanning alerts still show up as open #23403
-
Hi, I’ve been reading through the code scanning docs and after configuring it for my repo it flagged some issues which was great. Then I did some pushes to fix some of the issues and they got marked as “Fixed”. However they still show on the “is:open” filter and they count towards the total number of security issues on the “Security tab” of the repo. On the Fixing an alert doc it says: “If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking Closed. […] The “Closed” list shows fixed alerts and alerts that users have closed.” This is happening to me on this public repo of mine. The filter Am I missing something obvious? Shouldn’t the fixed alerts be in the closed state? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
After talking with GitHub support this was the solution I was given that worked for me:
This problem happened to me because I had ran an initial CodeQL scan and then renamed the workflow for CodeQL. Hope this helps others. |
Beta Was this translation helpful? Give feedback.
-
Had the same problem, but the alerts already generated during the initial CodeQL scan was not removed as part of deleting the stale workflow, even though the fix was pushed to the master (or respective) branches. Needed to remove the stale code scanning configurations from those outdated alerts to get that fixed. Refer: https://github.blog/changelog/2023-03-10-delete-stale-code-scanning-configurations-to-close-outdated-alerts/ |
Beta Was this translation helpful? Give feedback.
After talking with GitHub support this was the solution I was given that worked for me: