CID-19785 - Updload Sarif file directly to code scanning api

[andrewlundberg-wf]

Replaces the external github/codeql-action/upload-sarif composite step with an in-process SARIF upload using the GitHub REST API (code-scanning/uploadSarif). This gives the action direct control over the upload lifecycle, including retry logic and error handling.

This was done to support allowing the action to be used in public repositories.

[btr-rmconsole-6]

Merge Requirements Unmet ❌

Request Rosie to automerge this pull request by including @Workiva/release-management-p in a comment.

❌ All commits reviewed (1553c3c authored by andrewlundberg-wf)

General Information

Ticket(s):

• CID-19785 | remove

Code Review(s): #243
Release Image Tags:

Reviewers: None

Additional Information

Watchlist Notifications: None

	When this pull is merged I will add it to the following release:
	Version: gha-security-scanner v0.1.2
	Release Ticket(s): None

---

Note: This is a shortened report. Click here to view Rosie's full evaluation.
Click here for documentation on the merge-requirements status check
Last updated on Tuesday, May 05 01:30 PM CST

[btr-github-actions]

Security Audit Results

Please direct questions to #support-infosec.

Commit Signing

✅ All commits are signed

Raven

✅ 40 global file checks pass
✅ 94 global keyword checks pass

Images

✅ No Dockerfiles in this PR

Workflows

✅ .github/workflows/gha-security-scanner.yaml found.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[micahbeeman-wf]

why is this here?

[andrewlundberg-wf]

It removes unhelpful warnings that are being displayed in the build process

[zanehala-wk]

Do all we actually have to do here is just remove this

gha-security-scanner/action.yml

Lines 24 to 28 in f86d3c6

	- name: 'Upload SARIF file as artifact'
	uses: actions/upload-artifact@v7
	with:
	name: semgrep.sarif
	path: semgrep.sarif

The main point of the ticket is removing the artifact from being publicly accessible. Is there a reason we upload it to the public artifact storage in the first place?

[cristianmartinello-wf]

Do all we actually have to do here is just remove this

gha-security-scanner/action.yml

Lines 24 to 28 in f86d3c6

	- name: 'Upload SARIF file as artifact'
	uses: actions/upload-artifact@v7
	with:
	name: semgrep.sarif
	path: semgrep.sarif

The main point of the ticket is removing the artifact from being publicly accessible. Is there a reason we upload it to the public artifact storage in the first place?

Not sure we can answer that question.

3ecd2fd

[andrewlundberg-wf]

Do all we actually have to do here is just remove this

gha-security-scanner/action.yml

Lines 24 to 28 in f86d3c6

	- name: 'Upload SARIF file as artifact'
	uses: actions/upload-artifact@v7
	with:
	name: semgrep.sarif
	path: semgrep.sarif

The main point of the ticket is removing the artifact from being publicly accessible. Is there a reason we upload it to the public artifact storage in the first place?

Not sure we can answer that question.

3ecd2fd

How about pushing this to a future ticket,

[zanehala-wk]

How about pushing this to a future ticket,

What I'm saying here is I think that the majority of this PR is unnecessary, the github/codeql-action/upload-sarif@v4 action already does do an upload of the SARIF file directly to the API, so there are likely no real code changes that need to occur here. We just simply needed to remove the actions/upload-artifact@v7 action.