Skip to content

Commit

Permalink
🐛 SAST detect new GitHub app slug for CodeQL (#3591)
Browse files Browse the repository at this point in the history
* Fix SAST no longer working for CodeQL

The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits.

Signed-off-by: martincostello <[email protected]>

* Fix lint warning

Fix lint warning.

Signed-off-by: martincostello <[email protected]>

---------

Signed-off-by: martincostello <[email protected]>
  • Loading branch information
martincostello authored Oct 20, 2023
1 parent 4b8066a commit 49c0eed
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 2 deletions.
7 changes: 6 additions & 1 deletion checks/sast.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,12 @@ const CheckSAST = "SAST"

var errInvalid = errors.New("invalid")

var sastTools = map[string]bool{"github-code-scanning": true, "lgtm-com": true, "sonarcloud": true}
var sastTools = map[string]bool{
"github-advanced-security": true,
"github-code-scanning": true,
"lgtm-com": true,
"sonarcloud": true,
}

var allowedConclusions = map[string]bool{"success": true, "neutral": true}

Expand Down
71 changes: 70 additions & 1 deletion checks/sast_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,53 @@ func Test_SAST(t *testing.T) {
expected: checker.CheckResult{Score: -1},
},
{
name: "Successful SAST checker should return success status",
name: "Successful SAST checker should return success status for github-advanced-security",
commits: []clients.Commit{
{
AssociatedMergeRequest: clients.PullRequest{
MergedAt: time.Now().Add(time.Hour - 1),
},
},
},
searchresult: clients.SearchResponse{},
checkRuns: []clients.CheckRun{
{
Status: "completed",
Conclusion: "success",
App: clients.CheckRunApp{
Slug: "github-advanced-security",
},
},
},
expected: checker.CheckResult{
Score: 10,
},
},
{
name: "Successful SAST checker should return success status for github-code-scanning",
commits: []clients.Commit{
{
AssociatedMergeRequest: clients.PullRequest{
MergedAt: time.Now().Add(time.Hour - 1),
},
},
},
searchresult: clients.SearchResponse{},
checkRuns: []clients.CheckRun{
{
Status: "completed",
Conclusion: "success",
App: clients.CheckRunApp{
Slug: "github-code-scanning",
},
},
},
expected: checker.CheckResult{
Score: 10,
},
},
{
name: "Successful SAST checker should return success status for lgtm",
commits: []clients.Commit{
{
AssociatedMergeRequest: clients.PullRequest{
Expand All @@ -82,6 +128,29 @@ func Test_SAST(t *testing.T) {
Score: 10,
},
},
{
name: "Successful SAST checker should return success status for sonarcloud",
commits: []clients.Commit{
{
AssociatedMergeRequest: clients.PullRequest{
MergedAt: time.Now().Add(time.Hour - 1),
},
},
},
searchresult: clients.SearchResponse{},
checkRuns: []clients.CheckRun{
{
Status: "completed",
Conclusion: "success",
App: clients.CheckRunApp{
Slug: "sonarcloud",
},
},
},
expected: checker.CheckResult{
Score: 10,
},
},
{
name: "Failed SAST checker should return success status",
commits: []clients.Commit{
Expand Down

0 comments on commit 49c0eed

Please sign in to comment.