Diese Version von GitHub Enterprise wurde eingestellt am 2021-09-23. Es wird keine Patch-Freigabe vorgenommen, auch nicht für kritische Sicherheitsprobleme. Für eine bessere Leistung, verbesserte Sicherheit und neue Features nimm ein Upgrade auf die neueste Version von GitHub Enterprise vor. Wende Dich an den GitHub Enterprise-Support, um Hilfe beim Upgrade zu erhalten.

Uploading a SARIF file to GitHub

Du kannst SARIF-Dateien von statischen Analysewerkzeugen von Drittanbietern in GitHub hochladen und code scanning-Warnungen von diesen Werkzeugen in Deinem Repository sehen.

People with write permissions to a repository can upload code scanning data generated outside GitHub.

Code scanning is available if you have a license for GitHub Advanced Security.

Note: Code scanning is in beta in GitHub Enterprise Server 2.22. For the generally available release of code scanning, upgrade to the latest release of GitHub Enterprise Server.

Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring code scanning for your appliance."

About SARIF file uploads for code scanning

If your SARIF file doesn't include partialFingerprints, the upload-sarif action will calculate the partialFingerprints field for you and attempt to prevent duplicate alerts. GitHub can only create partialFingerprints when the repository contains both the SARIF file and the source code used in the static analysis. For more information, see "Managing code scanning alerts for your repository."

You can generate SARIF files using many static analysis security testing tools, including CodeQL. To upload results from third-party tools, you must use the Static Analysis Results Interchange Format (SARIF) 2.1.0 format. For more information, see "SARIF support for code scanning."

You can upload the results using GitHub Actions (available if your organization is taking part in the beta program), the code scanning API, or the CodeQL runner. The best upload method will depend on how you generate the SARIF file, for example, if you use:

  • GitHub Actions to run the CodeQL action, there is no further action required. The CodeQL action uploads the SARIF file automatically when it completes analysis.
  • Einen Workflow-Lauf verwalten
  • GitHub will display code scanning alerts from the uploaded SARIF file in your repository. If you block the automatic upload, when you are ready to upload results you can use the upload command (for more information, see "Running CodeQL code scanning in your CI system").
  • A tool that generates results as an artifact outside of your repository, you can use the code scanning API to upload the file (for more information, see "Upload an analysis as SARIF data").

Uploading a code scanning analysis with GitHub Actions

To upload a third-party SARIF file to GitHub, you'll need a GitHub Actions workflow. For more information, see "Learn GitHub Actions" and "Learn GitHub Actions."

Your workflow will need to use the upload-sarif action, which has input parameters that you can use to configure the upload. It has input parameters that you can use to configure the upload. The main input parameter you'll use is sarif-file, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository. For more information see the upload-sarif action.

The upload-sarif action can be configured to run when the push and scheduled event occur. For more information about GitHub Actions events, see "Events that trigger workflows."

If your SARIF file doesn't include partialFingerprints, the upload-sarif action will calculate the partialFingerprints field for you and attempt to prevent duplicate alerts. GitHub can only create partialFingerprints when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see "SARIF support for code scanning."

Hinweise:

  • SARIF upload supports a maximum of 1000 results per upload. Any results over this limit are ignored. If a tool generates too many results, you should update the configuration to focus on results for the most important rules or queries.

  • For each upload, SARIF upload supports a maximum size of 10 MB for the gzip-compressed SARIF file. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries.

Example workflow for SARIF files generated outside of a repository

You can create a new workflow that uploads SARIF files after you commit them to your repository. This is useful when the SARIF file is generated as an artifact outside of your repository.

This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. Weitere Informationen findest Du unter "Ereignisse, die Workflows auslösen."

This workflow uploads the results.sarif file located in the root of the repository. For more information about creating a workflow file, see "Learn GitHub Actions."

Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called sarif-output and set the action's input parameter sarif_file to sarif-output.

name: "Upload SARIF"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Friday at 15:45 UTC.
on:
  push:
  schedule:
    - cron: '45 15 * * 5'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # This step checks out a copy of your repository.
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

Example workflow that runs the ESLint analysis tool

If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the upload-sarif action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a GitHub Actions template. For more information, see the "GitHub Actions quickstart."

This example workflow runs anytime commits are pushed to the repository. The action uses the partialFingerprints property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. Weitere Informationen findest Du unter "Ereignisse, die Workflows auslösen."

The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The Run ESLint step runs the ESLint tool and outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-sarif action. For more information about creating a workflow file, see "Introduction to GitHub Actions."

name: "ESLint analysis"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every Monday at 15:45 UTC.
on:
  push:
  schedule:
    - cron: '45 15 * * 1'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run npm install
        run: npm install
      # Runs the ESlint code analysis
      - name: Run ESLint
        # eslint exits 1 if it finds anything to report
        run: node_modules/.bin/eslint build docs lib script spec-main -f node_modules/@microsoft/eslint-formatter-sarif/sarif.js -o results.sarif || true
      # Uploads results.sarif to GitHub repository using the upload-sarif action
      - uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

Weiterführende Informationen