Skip to content

fix(action): correct full-project SARIF conversion for scan-project output#72

Open
Ty-Robb wants to merge 2 commits intosinewaveai:mainfrom
Ty-Robb:fix/69-full-project-sarif-mapping
Open

fix(action): correct full-project SARIF conversion for scan-project output#72
Ty-Robb wants to merge 2 commits intosinewaveai:mainfrom
Ty-Robb:fix/69-full-project-sarif-mapping

Conversation

@Ty-Robb
Copy link
Copy Markdown

@Ty-Robb Ty-Robb commented Apr 16, 2026

Summary

Fixes full-project SARIF generation in the composite action by mapping from the current scan-project output schema.

What changed

  • Added scripts/project_scan_to_sarif.py to convert project scan JSON to SARIF 2.1.0
  • Updated .github/actions/security-scan/action.yml full-project SARIF path to use the converter
  • Separated full-project scan stdout/stderr:
    • JSON -> /tmp/project-scan.json
    • logs -> /tmp/project-scan.stderr
  • Added regression tests in tests/project-scan-to-sarif.test.js covering:
    • current flat issues[] schema
    • legacy files[].issues[] schema
    • malformed input fallback to valid empty SARIF

Why

The previous full-project conversion logic expected nested files[].issues[] and could miss findings when scan-project returns a flat issues[] list.

Fixes #69

@Ty-Robb
Copy link
Copy Markdown
Author

Ty-Robb commented Apr 16, 2026

Validation notes from local verification:

  • Added regression tests for project-scan -> SARIF conversion covering:
    • current flat issues[] schema
    • legacy files[].issues[] schema
    • malformed input fallback to valid empty SARIF
  • Ran targeted tests and checks:
    • npx vitest run tests/project-scan-to-sarif.test.js (pass)
    • npx vitest run tests/sarif-output.test.js (pass)
    • npx vitest run tests/project-scan-to-sarif.test.js tests/scan-project.test.js tests/scan-diff.test.js (pass)
    • YAML parse check for .github/actions/security-scan/action.yml (pass)
  • In one earlier broad/parallel run, we observed a timeout in a SARIF test (environment/resource-sensitive). Isolated reruns passed.

Recommendation: merge on green CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Composite action can fail-open when scan-results JSON parse fails

1 participant

@Ty-Robb