Uploaded SARIF file with Github Actions. Now what?

I’m testing a Github Actions on a repository, with a third party static analysis tool.

The Github actions clones the code, runs the tool, and produces an exakat.sarif file.
The Github actions then upload it to Github API, thanks to the step, as explained in the docs.

The whole actions works well (SARIF is produced, uploads returns OK).
Now where do I see the results?

I’ve roamed the source code, in particular on lines where issues are expected, in vain.
I’m expecting to see the results of the SCA at file:line that they are reported, along with the documentation offered in the SARIF file.
I registered on the Code Scanning waiting list, and I am now accepted.

Is there anything to add to the repository configuration?
May be some API to call, to check if it works or not.
May be the feature is still under work.

Any experience is welcome.

Hi @dseguy,

If you use a third party static analysis tool to generate SARIF file and upload to github via upload-sarif action, then you can check the code scanning alerts of the repository.
Note: GitHub will only use the supported SARIF 2.1.0 properties to display alerts.

Please follow official doc below to check the alerts:

And here is a doc for SARIF which generated in different way:

Thanks

Hi Weide

So, the uploading SARIF works (No error from Github after upload).
I can’t enable the ‘code scanning’ : CodeQL is disable (PHP language not supported yet).

Also, I do not see anything that will handle the uploaded SARIF : Would codeQL use the uploaded SARIF file ?
If I enable Scan from ShiftLeft (Marketplace), will the uploaded SARIF file used ?

I think I’m at the point where the third party SARIF can be uploaded, and not used.

Hi @dseguy,

CodeQL will use the uploaded SARIF file, but GitHub will only use the supported SARIF 2.1.0 properties to display alerts. You can check a SARIF file is compatible with code scanning by testing it against the GitHub ingestion rules. For more information, please visit the Microsoft SARIF validator.

If I enable Scan from ShiftLeft (Marketplace), will the uploaded SARIF file used ?

It will also create SARIF file and upload to Github, checked on my side, it can analysis and export alerts.

Thanks