Description
When running a scan with upload enabled (default behavior, skip-upload not set), the SARIF report always contains empty strings for resultUrl and resultId in the runs[0].properties section:
"properties": {
"pullString": "...",
"digest": "...",
"resultUrl": "",
"resultId": ""
}These values should contain the Sysdig Secure scan result URL and ID, which are needed to navigate directly to the scan results in the Sysdig UI.
Steps to Reproduce
- Configure the scan-action with upload enabled (do NOT set
skip-upload: true)
- Run the action:
- name: Run Sysdig Image Scan
uses: sysdiglabs/scan-action@v6
with:
image-tag: ${{ inputs.image }}
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
sysdig-secure-url: "https://us2.app.sysdig.com"
stop-on-failed-policy-eval: false
- Inspect the generated
sarif.json file
- Observe that
resultUrl and resultId are empty strings
Expected Behavior
When upload is enabled, the SARIF report should contain the actual resultUrl and resultId values returned by the Sysdig CLI scanner, for example:
"resultUrl": "https://us2.app.sysdig.com/secure/#/vulnerabilities/results/18724ab53a1afb03ba696801d65fd660/overview",
"resultId": "18724ab53a1afb03ba696801d65fd660"
Root Cause
The CLI scanner returns these values in the JSON output (info.resultUrl and info.resultId), but:
- The domain model
ScanResult.Metadata class does not include these fields
SarifReportPresenter.ts hardcodes empty strings instead of using values from the scan result
Affected Files
src/domain/scanresult/ScanResult.ts - Metadata class missing resultUrl and resultIdsrc/infrastructure/github/SarifReportPresenter.ts:104-105 - hardcoded empty stringssrc/infrastructure/sysdig/JsonScanResultV1ToScanResultAdapter.ts - needs to pass these values
Version
v6.x (observed in v6.3.4)
Description
When running a scan with upload enabled (default behavior,
skip-uploadnot set), the SARIF report always contains empty strings forresultUrlandresultIdin theruns[0].propertiessection:These values should contain the Sysdig Secure scan result URL and ID, which are needed to navigate directly to the scan results in the Sysdig UI.
Steps to Reproduce
skip-upload: true)sarif.jsonfileresultUrlandresultIdare empty stringsExpected Behavior
When upload is enabled, the SARIF report should contain the actual
resultUrlandresultIdvalues returned by the Sysdig CLI scanner, for example:Root Cause
The CLI scanner returns these values in the JSON output (
info.resultUrlandinfo.resultId), but:ScanResult.Metadataclass does not include these fieldsSarifReportPresenter.tshardcodes empty strings instead of using values from the scan resultAffected Files
src/domain/scanresult/ScanResult.ts-Metadataclass missingresultUrlandresultIdsrc/infrastructure/github/SarifReportPresenter.ts:104-105- hardcoded empty stringssrc/infrastructure/sysdig/JsonScanResultV1ToScanResultAdapter.ts- needs to pass these valuesVersion
v6.x (observed in v6.3.4)