GitHub Action
Issue Injector
IssueInjector is a GitHub action adept at converting security findings, notably from SARIF (Static Analysis Results Interchange Format), into GitHub issues. It not only creates issues for new findings but also auto-closes resolved ones.
This tool is compatible with nearly all security tools that use the SARIF format. It bridges the gap between security scan results and your GitHub issues tab, automatically generating issues from detected vulnerabilities and risks.
A distinguishing feature of IssueInjector is its capability to bypass the GitHub Advanced Security Dashboard. This means users can view and manage findings directly in GitHub, even without the Advanced Security subscription, eliminating the need to switch between platforms for each security tool.
The IssueInjector GitHub Action processes SARIF files to create GitHub issues based on the findings. It filters findings based on severity and ensures that issues are properly labeled.
Make sure you have a SARIF file that you want to process. Your GitHub repository should have the following variables:
-
SARIF_FILE: The path to your SARIF file.
-
SEVERITY: The severity level to filter the findings (optional, default is "error").
-
GITHUB_TOKEN: GitHub token to authenticate with the API.
-
GITHUB_REPO: The GitHub repository where issues should be created.
- Add Action to Your Workflow File: In your GitHub Actions workflow, you can include this action by creating a new step.
jobs:
your_job_name:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Use IssueInjector
uses: scherersebastian/[email protected] # replace `v1` with the version you'd like to use
with:
SARIF_FILE: "path/to/your/sarif-file.sarif"
SEVERITY: "error" # Optional, default is "error"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPO: "username/repo-name"
-
Set Required Secrets: Make sure to set the GITHUB_TOKEN secret to
contents: read, issues: write
. -
Run the Workflow: Once your workflow file is set up, push the changes to your GitHub repository. This will trigger the workflow, and the IssueInjector action will process the SARIF file and create issues based on the findings.
-
Check for Issues: After the workflow runs, check your GitHub repository's "Issues" tab for newly created issues.
Input | Description | Required | Default |
---|---|---|---|
SARIF_FILE |
Path to the SARIF file | Yes | |
SEVERITY |
Severity level to filter | No | error |
GITHUB_TOKEN |
GitHub token to authenticate with the API | Yes | |
GITHUB_REPO |
The GitHub repository where issues should be created | Yes |
-
Once closed, issues remain closed: If an issue is manually closed, the script won't reopen it even if the finding reappears in a new scan.
-
No branch support: The current version of the script doesn't distinguish between different branches. It assumes that all findings are relevant to the default or main branch.
-
Location changes result in hash mismatch: If the location of a finding is changed, such as by renaming a file, the hash generated for that finding will differ. This could lead to duplicate issues being created.
-
IssueInjector is soft release ready, indicating potential bugs. One known limitation is inconsistent issue creation due to missing or varied SARIF file values across different tools. Feedback on discrepancies is appreciated to enhance the tool's performance.
The scripts and documentation in this project are released under the MIT License.