aquasecurity
bug: SARIF URI scheme "https" did not match the checkout URI scheme "file"
Describe the bug I get an error when uploading the produces sarif file to github
Error: Code Scanning could not process the submitted SARIF file:
SARIF URI scheme "https" did not match the checkout URI scheme "file",
the produced sarif file has such entries
{
"ruleId": "aws-vpc-no-public-egress-sgr",
"ruleIndex": 20,
"level": "error",
"message": {
"text": "Security group rule allows egress to multiple public internet addresses."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "https://github.com/bosch-top98-ai-know/terraform-aws-small-modules.git/modules/opensearch?ref=v0.0.72/github/workspace/dev/.terraform/modules/opensearch-services-team/modules/opensearch/security_group.tf"
},
"region": {
"startLine": 30,
"endLine": 30
}
}
}
]
},
To Reproduce Steps to reproduce the behavior: Run this in a github pipeline (with a terraform plan in advance incl. private terraform modules)
- name: tfsec
uses: aquasecurity/[email protected]
with:
sarif_file: tfsec.sarif
working_directory: dev
- name: showsarif
run: |
sed -i 's/git:://g' tfsec.sarif
sed -i 's+https:/github+https://github+g' tfsec.sarif
cat ./tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is because tfsec is detecting issues in 3rd-party remote modules, and GitHub doesn't know how to handle these.
I'll see if we can add an option to highlight the module block that includes the remote module so that the uri is local to the project.
