Added example step for filtering false-positive detection and fix comments

hsbt · hsbt · commit c98103ef3015 · 2026-03-25T12:29:58.000+09:00
diff --git a/.github/workflows/check_sast.yml b/.github/workflows/check_sast.yml
@@ -54,7 +54,7 @@ jobs:
     permissions:
       actions: read # for github/codeql-action/init to get workflow details
       contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/autobuild to send a status report
+      security-events: write # for github/codeql-action/upload-sarif to send a status report
     # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
     if: >-
       ${{!(false
@@ -113,6 +113,17 @@ jobs:
         if: ${{ matrix.language == 'ruby' }}
         continue-on-error: true
 
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1.0.1.1
+        with:
+          patterns: |
+            +**/*.c
+            +**/*.h
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+        if: ${{ matrix.language == 'cpp' }}
+        continue-on-error: true
+
       - name: Upload SARIF
         uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
