Testing SARIF results on pull request - analysis not found?

I am attempting to integrate a static analyzer that produces known good SARIF output into my project’s pull request workflow. I have this set up on both the master branch as well as on everything else - same process, run analysis, generate, call CodeQL action to upload it.

When I set up a branch protection policy to require everything to succeed, I expected the workflow to nicely fail because there were newly found issues. Unfortunately it keeps reporting that things were found, but apparently it can’t find the analysis for the base branch.

Here is the display in the pull request. I was hoping this is where I would see the failure and the new issues!

When I click to see further, it explains the situation. But I certainly ran the same thing on the commit named (pretty sure!):

The SARIF output is fine, I can click the link to view it anyway and it shows up.

I can’t tell what the problem might be. Searches for these error messages look like this has come up pretty infrequently, and I can’t find a lot of detail on how the Code Scanning Alerts work - which might explain how I’ve gotten my project into this situation.

Help appreciated! Thanks!

  • James
2 Likes

This probably means CodeQL hasn’t scanned the base branch yet, @jcroall can you please confirm if this is the case or not??

Hi James,

I talked to the responsible engineering team, and they advised that splitting your workflow file into one for master, and one for pull requests will not work with the code scanning integration.
I’d recommend having one workflow file for one check, especially if they’re independent.
I.e. one workflow file for coverity, one for Synopsys, etc.
These workflow files should then run on both pull requests and on the master branch.

I hope this helps you, let me know if you have more questions!

Ha, thanks! Somebody here just suggested that to me as well. Up and running now. Thanks :slight_smile:

In fact, I am pretty impressed - didn’t realize that the code analysis feature was doing so much behind the scenes to match things with a baseline, recognize them as they may be reported agin - very cool!

@criemen Is it possible to run codeql-analysis on all the branches of a repo?
Bc I’m having this error
image

Since your question about running codeql-action on all branches has been solved on Running codeql-analysis on all the branches of a repository · Issue #462 · github/codeql-action · GitHub, let’s not continue that here as well :slight_smile: