upload-sarif: token input doesn't work

[jesus-linares]

I have this step in a workflow and it works:

      - name: "Upload Trivy scan results to GitHub Security tab"
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: '${{ env.trivy_output_file }}'
          category: 'trivy-image-${{ matrix.image }}'

but it doesn't work if add the token argument:

      - name: "Upload Trivy scan results to GitHub Security tab"
        uses: github/codeql-action/upload-sarif@v3
        with:
          token: ${{ secrets.MY_TOKEN }}
          sarif_file: '${{ env.trivy_output_file }}'
          category: 'trivy-image-${{ matrix.image }}'

This is the error:

Uploading results
  Processing sarif files: ["trivy-test-yellow.sarif"]
  Validating trivy-test-yellow.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs
  Uploading results
  Warning: Not Found
  Error: Not Found

Debug

Uploading results
  Processing sarif files: ["trivy-test-yellow.sarif"]
  Validating trivy-test-yellow.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs
  ##[debug]Validating that each SARIF run has a unique category
  ##[debug]Serializing SARIF for upload
  ##[debug]Compressing serialized SARIF
  ##[debug]Raw upload size: 542 bytes
  ##[debug]Base64 zipped upload size: 472 bytes
  ##[debug]Number of results in upload: 0
  Uploading results
  Warning: Not Found
  Error: Not Found
  ##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-07-24T13:50:22.018Z","action_version":"3.25.13","analysis_key":".github/workflows/build new.yml:build","commit_oid":"f26f5724a7c97d43f52ce8d4c9c0ed09b5eeba51","first_party_analysis":false,"job_name":"build","job_run_uuid":"","ref":"refs/heads/main","runner_os":"Linux","started_at":"2024-07-24T13:50:22.018Z","status":"failure","steady_state_default_setup":false,"testing_environment":"","workflow_name":"builed new","workflow_run_attempt":1,"workflow_run_id":100[77](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:78)937806,"actions_event_name":"workflow_dispatch","runner_available_disk_space_bytes":21029244928,"runner_total_disk_space_bytes":7[78](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:79)51254784,"cause":"Not Found","exception":"HttpError: Not Found\n    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)\n    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18)","completed_at":"2024-07-24T13:50:22.[81](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:82)3Z","matrix_vars":"{\n  \"dockerfile\": \"Dockerfile-ok\",\n  \"image\": \"test/yellow\"\n}","runner_arch":"X64","runner_image_version":"20240721.1.0"}
  ##[debug]Node Action run completed with exit code 1
  ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
  ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
  ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
  ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
  ##[debug]CODEQL_ACTION_VERSION='3.25.13'
  ##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/build new.yml:build'
  ##[debug]CODEQL_WORKFLOW_STARTED_AT='2024-07-24T13:50:22.018Z'
  ##[debug]CODEQL_UPLOAD_SARIF_TRIVY_IMAGE_TEST_YELLOW__TRIVY='CODEQL_UPLOAD_SARIF_TRIVY_IMAGE_TEST_YELLOW__TRIVY'
  ##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_FAILURE'
  ##[debug]Finishing: Upload Trivy scan results to GitHub Security tab

The secret is properly configured. If I change the secret value, I got "Bad credentials". I created this step to check the token and it works:

      - name: testing secrets
        env: 
          MY_TOKEN: ${{ secrets.MY_TOKEN }}
        run: |
          REPOSITORY=".../..."

          # Variables
          BASE_URL="https://api.github.com/repos/$REPOSITORY/code-scanning"

          HEADERS=(
            -H "Accept: application/vnd.github+json"
            -H "Authorization: Bearer $MY_TOKEN"
            -H "X-GitHub-Api-Version: 2022-11-28"
          )

          curl -Ls \
            -X GET \
            "${HEADERS[@]}" \
            "$BASE_URL/analyses?per_page=1"

[aeisenberg]

Your SARIF file is suspiciously small 542 bytes. My guess is that there is something invalid about the file being generated. Could you share the file here? If you ran the job in debug mode, it should have been uploaded as an artifact.

[jwilmoth-ehs]

I'm experiencing the same issue. The logging immediately before and at the failure appears to come from this block https://github.com/github/codeql-action/blob/v3.25.0/src/upload-lib.ts#L233-L240. I did not see a corresponding PUT /repos/:owner/:repo/code-scanning/analysis entry in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts.

Action Debug Output

Run github/codeql-action/upload-sarif@v3
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-08-26T18:39:50.965Z","action_version":"3.26.5","analysis_key":".github/workflows/verify-pull-request.yml:image","commit_oid":"2f079b8b84d0790015bc4b6b46f16593f765a2a2","first_party_analysis":false,"job_name":"image","job_run_uuid":"","ref":"refs/heads/test-add-graphql-schema-verification","runner_os":"Linux","started_at":"2024-08-26T18:39:50.965Z","status":"starting","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Verify","workflow_run_attempt":2,"workflow_run_id":10565163535,"actions_event_name":"push","runner_available_disk_space_bytes":18077360128,"runner_total_disk_space_bytes":77851254784,"matrix_vars":"null","runner_arch":"X64","runner_image_version":"20240818.1.0"}
::group::Uploading results
Uploading results
  Processing sarif files: ["./results.sarif"]
  Validating ./results.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Validating that each SARIF run has a unique category
  ##[debug]Serializing SARIF for upload
  ##[debug]Compressing serialized SARIF
  ##[debug]Raw upload size: 28023 bytes
  ##[debug]Base64 zipped upload size: 7228 bytes
  ##[debug]Number of results in upload: 7
  Uploading results
  Warning: Not Found
  Error: Not Found
  ##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-08-26T18:39:50.965Z","action_version":"3.26.5","analysis_key":".github/workflows/verify-pull-request.yml:image","commit_oid":"2f079b8b84d0790015bc4b6b46f16593f765a2a2","first_party_analysis":false,"job_name":"image","job_run_uuid":"","ref":"refs/heads/test-add-graphql-schema-verification","runner_os":"Linux","started_at":"2024-08-26T18:39:50.965Z","status":"failure","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Verify","workflow_run_attempt":2,"workflow_run_id":10565163535,"actions_event_name":"push","runner_available_disk_space_bytes":18077351936,"runner_total_disk_space_bytes":7785[125](https://github.com/VelocityEHS/java-standard/actions/runs/10565163535/job/29269593966#step:12:126)4784,"cause":"Not Found","exception":"HttpError: Not Found\n    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)\n    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18)","completed_at":"2024-08-26T18:39:51.738Z","matrix_vars":"null","runner_arch":"X64","runner_image_version":"20240818.1.0"}
  ##[debug]Node Action run completed with exit code 1
  ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
  ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
  ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
  ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
  ##[debug]CODEQL_ACTION_VERSION='3.26.5'
  ##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/verify-pull-request.yml:image'
  ##[debug]CODEQL_WORKFLOW_STARTED_AT='2024-08-26T18:39:50.965Z'
  ##[debug]CODEQL_UPLOAD_SARIF_CONTAINER__GRYPE='CODEQL_UPLOAD_SARIF_CONTAINER__GRYPE'
  ##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_FAILURE'
  ##[debug]Finishing: Upload vulnerability report

[aeisenberg]

It's likely that your token does not have the proper scopes associated with it. It needs the security_events permission. Please verify that it has it as well as access to read from the current repo.

[jwilmoth-ehs]

This is what the token summary shows:

And the code scanning alerts specific setting:

[chrisgavin]

I believe currently only the built-in GitHub Actions token can be used to upload SARIF files with the codeql-action/upload-sarif Action (the existing documentation for this parameter appears to be incorrect 😢). If you could provide some more details about why you would like to use a custom token here we might be able to provide suggestions for how to work around this limitation.

Note that you should still be able to use a custom token for other steps like checking out the repository or downloading build dependencies.

[aeisenberg]

Thanks, @chrisgavin. The docs are updated here #2477.

[jwilmoth-ehs]

I believe currently only the built-in GitHub Actions token can be used to upload SARIF files with the codeql-action/upload-sarif Action (the existing documentation for this parameter appears to be incorrect 😢). If you could provide some more details about why you would like to use a custom token here we might be able to provide suggestions for how to work around this limitation.

Note that you should still be able to use a custom token for other steps like checking out the repository or downloading build dependencies.

We leverage a shared workflow in a number of repositories and the custom token (with the required permissions) would allow us to avoid adding the following boilerplate to each call of the shared workflow.

    permissions:
      actions: read
      contents: read
      security-events: write