Takes a SARIF file and a list of inclusion and exclusion patterns as input and removes alerts from the SARIF file according to those patterns.
The following example removes all alerts from all Java test files:
name: "Filter SARIF"
on:
push:
branches: [master]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [ 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
output: sarif-results
upload: failure-only
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
patterns: |
+**/*.java
-**/*Test*.java
input: sarif-results/java.sarif
output: sarif-results/java.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/java.sarif
- name: Upload loc as a Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results
path: sarif-results
retention-days: 1Note how we provided upload: failure-only and output: sarif-results to the analyze action. That way we can filter the SARIF with the filter-sarif action before uploading it via upload-sarif. Diagnostic output is still uploaded and visible on the tool status page if the run fails. Finally, we also attach the resulting SARIF file to the build, which is convenient for later inspection.
Each pattern line is of the form:
[+/-]<file pattern>[:<rule pattern>]
for example:
-**/*Test*.java:** # exclusion pattern: remove all alerts from all Java test files
-**/*Test*.java # ditto, short form of the line above
+**/*.java:java/sql-injection # inclusion pattern: This line has precedence over the first two
# and thus allows alerts of type "java/sql-injection"
**/*.java:java/sql-injection # ditto, the "+" in inclusion patterns is optional
** # allow all alerts in all files (reverses all previous lines)
A minimal config to allow only files in the path myproject/ is:
-**/* # exclusion pattern: DENY ALL
myproject/**/* # inclusion pattern: allows alerts in the path 'myproject/'
- The path separator character in patterns is always
/, independent of the platform the code is running on and independent of the paths in the SARIF file. *matches any character, except a path separator**matches any character and is only allowed between path separators, e.g./**/file.txt,**/file.txtor**. NOT allowed:**.txt,/etc**- The rule pattern is optional. If omitted, it will apply to alerts of all types.
- Subsequent lines override earlier ones. By default all alerts are included.
- If you need to use the literals
+,-,\or:in your pattern, you can escape them with\, e.g.\-this/is/an/inclusion/file/pattern\:with-a-semicolon:and/a/rule/pattern/with/a/\\/backslash. For+and-, this is only necessary if they appear at the beginning of the pattern line.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent