Skip to content

fix(sarif): normalize git source URIs for GitHub Code Scanning compatibility#378

Open
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/sarif-github-code-scanning
Open

fix(sarif): normalize git source URIs for GitHub Code Scanning compatibility#378
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/sarif-github-code-scanning

Conversation

@cx-ori-bendet
Copy link

@cx-ori-bendet cx-ori-bendet commented Mar 2, 2026

Summary

  • When 2ms scans a git repository, secret sources are stored as "git show <SHA>:<filepath>" strings (e.g., "git show abc123:pkg/foo.go")
  • These strings were used directly as artifactLocation.uri in SARIF output, causing GitHub Code Scanning to reject the report with locationFromSarifResult: expected artifact location — because the string contains spaces and is not a valid URI
  • This fix extracts the file path portion and sets uriBaseId: "%SRCROOT%" so GitHub Code Scanning can correctly resolve file locations relative to the repository root

Fixes #128

Test plan

  • New test case git_source_normalized_to_filepath_with_srcroot in TestGetOutputSarif verifies that a secret with Source: "git show abc1234567:pkg/foo.go" produces a SARIF result with artifactLocation.uri = "pkg/foo.go" and artifactLocation.uriBaseId = "%SRCROOT%"
  • Existing tests continue to pass (non-git sources use the full source string as the URI, unchanged)

I submit this contribution under the Apache-2.0 license.

🤖 Generated with Claude Code

@claude
fix(sarif): normalize git source URIs for GitHub Code Scanning compat…
9129420 
…ibility

When scanning git repositories, secret sources are stored as
"git show <SHA>:<filepath>" strings. Using these directly as SARIF
artifactLocation.uri values causes GitHub Code Scanning to reject the
report with "locationFromSarifResult: expected artifact location" because
the string contains spaces and is not a valid URI.

This fix extracts the file path from git source strings and sets
uriBaseId to "%SRCROOT%" so that GitHub Code Scanning can correctly
resolve file locations relative to the repository root.

Fixes #128

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cx-ori-bendet cx-ori-bendet requested a review from a team as a code owner March 2, 2026 18:53
@github-actions
Copy link

github-actions bot commented Mar 2, 2026

kics-logo

KICS version: v1.7.13

Category Results
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 16
Files parsed placeholder 16
Files failed to scan placeholder 0
Total executed queries placeholder 53
Queries failed to execute placeholder 0
Execution time placeholder 1

@github-actions
Copy link

github-actions bot commented Mar 2, 2026

Logo
Checkmarx One – Scan Summary & Details67525405-3069-4df5-a623-613258082ccf

Great job! No new security vulnerabilities introduced in this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Adjust SARIF format to Github Code Scanning

1 participant

@cx-ori-bendet