Skip to content
check-circle

GitHub Action

Issue Injector

v1.0.0 Latest version

Issue Injector

check-circle

Issue Injector

Process SARIF files and create GitHub issues based on findings

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Issue Injector

uses: scherersebastian/[email protected]

Learn more about this action in scherersebastian/issue-injector

Choose a version

IssueInjector

IssueInjector is a GitHub action adept at converting security findings, notably from SARIF (Static Analysis Results Interchange Format), into GitHub issues. It not only creates issues for new findings but also auto-closes resolved ones.

This tool is compatible with nearly all security tools that use the SARIF format. It bridges the gap between security scan results and your GitHub issues tab, automatically generating issues from detected vulnerabilities and risks.

A distinguishing feature of IssueInjector is its capability to bypass the GitHub Advanced Security Dashboard. This means users can view and manage findings directly in GitHub, even without the Advanced Security subscription, eliminating the need to switch between platforms for each security tool.

How To Use

The IssueInjector GitHub Action processes SARIF files to create GitHub issues based on the findings. It filters findings based on severity and ensures that issues are properly labeled.

Prerequisites

Make sure you have a SARIF file that you want to process. Your GitHub repository should have the following variables:

  • SARIF_FILE: The path to your SARIF file.

  • SEVERITY: The severity level to filter the findings (optional, default is "error").

  • GITHUB_TOKEN: GitHub token to authenticate with the API.

  • GITHUB_REPO: The GitHub repository where issues should be created.

Setup Instructions

  1. Add Action to Your Workflow File: In your GitHub Actions workflow, you can include this action by creating a new step.
jobs:
  your_job_name:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      issues: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Use IssueInjector
        uses: scherersebastian/[email protected] # replace `v1` with the version you'd like to use
        with:
          SARIF_FILE: "path/to/your/sarif-file.sarif"
          SEVERITY: "error" # Optional, default is "error"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REPO: "username/repo-name"
  1. Set Required Secrets: Make sure to set the GITHUB_TOKEN secret to contents: read, issues: write.

  2. Run the Workflow: Once your workflow file is set up, push the changes to your GitHub repository. This will trigger the workflow, and the IssueInjector action will process the SARIF file and create issues based on the findings.

  3. Check for Issues: After the workflow runs, check your GitHub repository's "Issues" tab for newly created issues.

Inputs

Input Description Required Default
SARIF_FILE Path to the SARIF file Yes
SEVERITY Severity level to filter No error
GITHUB_TOKEN GitHub token to authenticate with the API Yes
GITHUB_REPO The GitHub repository where issues should be created Yes

Limitations

  • Once closed, issues remain closed: If an issue is manually closed, the script won't reopen it even if the finding reappears in a new scan.

  • No branch support: The current version of the script doesn't distinguish between different branches. It assumes that all findings are relevant to the default or main branch.

  • Location changes result in hash mismatch: If the location of a finding is changed, such as by renaming a file, the hash generated for that finding will differ. This could lead to duplicate issues being created.

  • IssueInjector is soft release ready, indicating potential bugs. One known limitation is inconsistent issue creation due to missing or varied SARIF file values across different tools. Feedback on discrepancies is appreciated to enhance the tool's performance.

License

The scripts and documentation in this project are released under the MIT License.