Skip to content

SARIF upload requires additional git commit references #23940

Closed
#24322
Closed
SARIF upload requires additional git commit references#23940
#24322
Assignees
pelikhancopilot-swe-agent
Labels
communityneeds-triage
@kbreit-insight

Description

@kbreit-insight
kbreit-insight
opened on Apr 1, 2026

I have an AW with the following manifest:

---
on:
  workflow_dispatch:
permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read
engine:
  id: copilot
  model: claude-opus-4-6
network:
  allowed:
    - defaults
    - python
    - node
    - go
    - java
tools:
  github:
    toolsets: [default]
  edit:
  bash: true
  web-fetch:
  web-search:
steps:
  - name: Checkout repository
    uses: actions/checkout@v6
    with:
      persist-credentials: false
  - name: Create artifact directory
    run: mkdir -p artifacts
  - name: KICS Github Action
    uses: Checkmarx/kics-github-action@v1.7.0
    with:
      path: .
      output_path: artifacts
      output_formats: json,sarif
      ignore_on_exit: results
  - name: Upload KICS results
    uses: actions/upload-artifact@v7
    with:
      name: kics-results
      path: artifacts/results.json
  - name: Flatten KICS findings for agent
    run: |
      python3 -c "
      import json
      SEVERITY_MAP = {'critical': 'error', 'high': 'error', 'medium': 'warning', 'low': 'note', 'info': 'note', 'trace': 'note'}
      data = json.load(open('artifacts/results.json'))
      findings = []
      for q in data.get('queries', []):
        for f in q.get('files', []):
          findings.append({
            'file': f['file_name'],
            'line': f['line'],
            'severity': SEVERITY_MAP.get(q['severity'].lower(), 'note'),
            'message': q['query_name'] + ': ' + q['description']
          })
      print(json.dumps(findings, indent=2))
      " > artifacts/findings.json
safe-outputs:
  create-issue:
  create-agent-session:
  create-discussion:
  update-discussion:
  close-discussion:
  close-issue:
  close-pull-request:
  add-comment:
  create-pull-request:
  create-pull-request-review-comment:
  submit-pull-request-review:
  reply-to-pull-request-review-comment:
  resolve-pull-request-review-thread:
  create-code-scanning-alert:
    # github-token: ${{ secrets.GHAS_TOKEN }}
    max: 10000
  add-labels:
  remove-labels:
  add-reviewer:
  assign-milestone:
  assign-to-agent:
  assign-to-user:
  unassign-from-user:
  update-issue:
  update-pull-request:
  push-to-pull-request-branch:
  upload-asset:
  update-release:
  link-sub-issue:
  hide-comment:
  set-issue-type:
  update-project:
  autofix-code-scanning-alert:
  mark-pull-request-as-ready-for-review:
---

# kics-remediation

Read `artifacts/findings.json` — it contains a flat JSON array where each element has `file`, `line`, `severity`, and `message`. Call `create_code_scanning_alert` once per element, one at a time sequentially (not in parallel), passing those four fields directly. Wait for each call to succeed before proceeding to the next. After all alerts are uploaded, read `artifacts/results.json` to analyze the full results and create a tracking issue. Then create a new branch and perform remediation on findings whose `file` path does NOT start with `.github/` — do not modify any files under `.github/` in the PR (mention those findings in the tracking issue as requiring manual attention). Open a pull request with appropriate labels. NEVER automatically merge the pull request.

<!--
## TODO: Customize this workflow

The workflow has been generated based on your selections. Consider adding:

- [ ] More specific instructions for the AI
- [ ] Error handling requirements
- [ ] Output format specifications
- [ ] Integration with other workflows
- [ ] Testing and validation steps

## Configuration Summary

- **Trigger**: Manual trigger
- **AI Engine**: copilot
- **Tools**: github, edit, bash, web-fetch, web-search
- **Safe Outputs**: create-issue, create-agent-session, create-discussion, update-discussion, close-discussion, close-issue, close-pull-request, add-comment, create-pull-request, create-pull-request-review-comment, submit-pull-request-review, reply-to-pull-request-review-comment, resolve-pull-request-review-thread, create-code-scanning-alert, add-labels, remove-labels, add-reviewer, assign-milestone, assign-to-agent, assign-to-user, unassign-from-user, update-issue, update-pull-request, push-to-pull-request-branch, upload-asset, update-release, link-sub-issue, hide-comment, set-issue-type, update-project, create-project, create-project-status-update, autofix-code-scanning-alert, mark-pull-request-as-ready-for-review
- **Network Access**: ecosystem

## Next Steps

1. Review and customize the workflow content above
2. Remove TODO sections when ready
3. Run `gh aw compile` to generate the GitHub Actions workflow
4. Test the workflow with a manual trigger or appropriate event
-->

Out of the box it fails with the following error:

Run github/codeql-action/upload-sarif@0e9f55954318745b37b7933c693bc093f7336125
Post-processing sarif files: ["/home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy/code-scanning-alert.sarif"]
Validating /home/runner/work/terraform-azurerm-storage-entropy/terraform-azurerm-storage-entropy/code-scanning-alert.sarif
Adding fingerprints to SARIF file. See https://docs.github.com/en/code-security/reference/code-scanning/sarif-support-for-code-scanning#data-for-preventing-duplicated-alerts for more information.
(node:20494) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
Uploading code scanning results
  Uploading results
  Warning: commit not found - https://docs.github.com/rest
  Error: commit not found - https://docs.github.com/rest

I ran it through copilot which made these changes that make it work:

@@ -1921,6 +1921,9 @@ jobs:
             setupGlobals(core, github, context, exec, io);
             const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
             await main();
+      - name: Reset git HEAD to triggering commit for SARIF upload
+        if: steps.process_safe_outputs.outputs.sarif_file != ''
+        run: git checkout ${{ github.sha }}
       - name: Upload SARIF to GitHub Code Scanning
         id: upload_code_scanning_sarif
         if: steps.process_safe_outputs.outputs.sarif_file != ''
@@ -1928,6 +1931,8 @@ jobs:
         with:
           token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           sarif_file: ${{ steps.process_safe_outputs.outputs.sarif_file }}
+          ref: ${{ github.ref }}
+          sha: ${{ github.sha }}
           wait-for-processing: true
       - name: Assign to Agent
         id: assign_to_agent

The output from copilot is

● Done. Re-applied both fixes:

   1. git checkout ${{ github.sha }} step before upload — resets local HEAD to the triggering commit so CodeQL reads the right SHA
   2. ref/sha inputs on upload-sarif — explicitly tells GHAS which commit/ref to associate the results with

  ⚠️ Important: These lock file changes will be lost again on the next gh aw compile. Until gh aw supports a hook for customizing the SARIF upload
  step in the .md source, you'll need to re-apply this patch after every recompile. That would be worth filing as a feature request alongside the
  severity mapping bug.

Metadata

Metadata

Assignees

Labels

communityneeds-triage

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions