Repository files navigation

This tool processes SARIF (Static Analysis Results Interchange Format) files, typically generated by static code analysis tools like CodeQL, and can be run as a GitHub Action or as a standalone CLI tool.It adds Secure Code Warrior contextual application security training material to SARIF files.This training material will be displayed within Code Scanning alerts if the resulting SARIF file is imported using thegithub/codeql-action/upload-sarif Action, and includes links to secure coding exercises and short explainer videos where available.This tool currently supports adding training material based on CWE references (e.g. CWE 89) and common vulnerability phrases (e.g. use-after-free vulnerability) included in static analysis findings.

• Integration of Secure Code Warrior Training Material:

  The tool enriches SARIF files by addingSecure Code Warrior contextual application security training content. When the resulting SARIF file is imported using thegithub/codeql-action/upload-sarif GitHub Action, this training material is displayed directly within Code Scanning alerts.

  The added content includes links to:

  • Secure coding exercises
  • Short explainer videos (where available)

  Currently, the tool supports adding training materials based on:

  • CWE references (e.g., CWE-89)
  • Common vulnerability phrases (e.g., use-after-free vulnerability)

  These are extracted from static analysis findings to provide relevant, actionable learning resources alongside detected vulnerabilities.

• Flexible File Input:Supports glob and wildcard patterns for input files, allowing batch processing of SARIF files in a directory, recursively, or by matching specific patterns.

• Robust Output Handling:Outputs processed SARIF results to specified filenames, with support for file overwriting and verification of output file patterns.

steps:# Fetch SARIF - for example:# - Checkout the repository using `actions/checkout` if the SARIF file is committed. This example assumes the SARIF file is located at `sarif/findings.sarif` within the repository.#     - name: Checkout repository#       uses: actions/checkout@v2# - Fetch the SARIF file from your SAST tool. The vendor may already have a GitHub Action for this. This example assumes the SARIF file is fetched and saved to `sarif/findings.sarif`.#     - name: Download SARIF#       uses: vendor/sast-tool-sarif@v1#       with:#         user: ${{ secrets.USER }}#         key: ${{ secrets.KEY }}#         scan-id: ${{ secrets.SCAN_ID }}#         output-file: sarif/findings.sarif# - Convert a SAST tool report into SARIF. The vendor may already have a GitHub Action or script for this. This example assumes the converted SARIF file is located at `sarif/findings.sarif`.#     - name: Convert report to SARIF#       uses: vendor/sast-tool-sarif-converter@v1#       with:#         report-file: reports/sast-scan.xml#         output-file: sarif/findings.sarif      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:sarif/findings.sarifoutputSarifFile:sarif/findings.processed.sarif      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:sarif/findings.processed.sarif

steps:# Fetch SARIF - see additional examples above      -name:Download SARIFuses:vendor/sast-tool-sarif@v1with:user:${{ secrets.USER }}key:${{ secrets.KEY }}scan-id:${{ secrets.SCAN_ID }}output-dir:./sarifs# in this example we assume the tool outputs multiple SARIF files as .json files      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:./sarifs/*.jsonoutputSarifFile:./processed-sarifs      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:./processed-sarifs

steps:# Fetch SARIF - see additional examples above      -name:Download SARIFuses:vendor/sast-tool-sarif@v1with:user:${{ secrets.USER }}key:${{ secrets.KEY }}scan-id:${{ secrets.SCAN_ID }}output-dir:./sarifs# in this example we assume the tool outputs multiple SARIF files in nested directories within the specified output directory      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:./sarifsoutputSarifFile:./processed-sarifs      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:./processed-sarifs

The SARIF file(s) to add Secure Code Warrior contextual training material to. This can be a path to a single file (e.g../findings.sarif), a glob path (e.g../scans/**/*.sarif) or a directory (d.g../scans), in which case all.sarif files recursively in the specified directory will be processed.Default value:./findings.sarif

The output path of the resulting SARIF file(s) with Secure Code Warrior contextual training material appended. If a glob path or a directory was provided as theinputSarifFile input then the resulting SARIF files will be output to the./processed-sarifs directory, which can then simply be the path provided in thesarif_file input of thegithub/codeql-action/upload-sarif action.Default value:./findings.processed.sarif

This GitHub Action can also be run in CLI mode, to enable integration with other CI tools e.g.Jenkins

node clilauncher.js<input-pattern><output-file>

• input-pattern: Path to the SARIF file(s) you want to process. Supports:
  • Exact file path
  • Wildcard patterns (e.g., *.sarif)
  • Recursive globstars (e.g., **/*.sarif)
• output-file: File path where the processed SARIF results will be saved.

Important:

• Globstar and wildcard patterns should be enclosed in quotes to prevent the shell from expanding them prematurely.
• If a globstar pattern is used, the default output dir will be./processed-sarifs. Otherwise, files will be output to the root directory.