Summary
docker-security-scan.yml currently fails to upload third-party SARIF results in PR runs because the custom gh api call posts a category field to /code-scanning/sarifs, and GitHub now rejects that field with HTTP 422.
As a result, Code Scanning receives only project-image categories and shows this warning on PRs:
X configurations not found- Missing configs include prior third-party categories from
main
Example warning seen in PR #436:
docker-third-party-caddy-2.10docker-third-party-grafana-grafana-11.4.0docker-third-party-mysql-8.0docker-third-party-prom-prometheus-v3.0.1docker-third-party-torrust-tracker-develop
Evidence
From Upload all third-party SARIF results job logs:
gh: Invalid request.
Invalid input: "category" is not a permitted key. (HTTP 422)
Warning: Upload failed for sarif-third-party-.../trivy.sarif
Only project categories are currently uploaded for the PR ref:
docker-project-provisioned-instancedocker-project-ssh-server
Impact
- CI remains green because the step swallows upload errors (
|| echo ...).
- Security visibility for third-party images in PR code scanning is degraded.
- PR warning is confusing but does not indicate test/build failure.
Proposed Fix
Replace the custom gh api /code-scanning/sarifs upload loop with a supported mechanism that sets category/configuration reliably:
- Preferred: use
github/codeql-action/upload-sarif@v4 for third-party files as well (including unique category per image).
- Alternative: set SARIF
runAutomationDetails.id per file before upload and use API without category field.
Acceptance Criteria
- Third-party SARIF uploads succeed (no HTTP 422).
- PR code scanning no longer shows missing configuration warnings caused by failed uploads.
- Both old and new third-party categories are handled predictably when image tags change.
- Workflow logs explicitly fail/alert on SARIF upload errors (do not silently ignore).
Related
Summary
docker-security-scan.ymlcurrently fails to upload third-party SARIF results in PR runs because the customgh apicall posts acategoryfield to/code-scanning/sarifs, and GitHub now rejects that field with HTTP 422.As a result, Code Scanning receives only project-image categories and shows this warning on PRs:
X configurations not foundmainExample warning seen in PR #436:
docker-third-party-caddy-2.10docker-third-party-grafana-grafana-11.4.0docker-third-party-mysql-8.0docker-third-party-prom-prometheus-v3.0.1docker-third-party-torrust-tracker-developEvidence
From
Upload all third-party SARIF resultsjob logs:Only project categories are currently uploaded for the PR ref:
docker-project-provisioned-instancedocker-project-ssh-serverImpact
|| echo ...).Proposed Fix
Replace the custom
gh api /code-scanning/sarifsupload loop with a supported mechanism that sets category/configuration reliably:github/codeql-action/upload-sarif@v4for third-party files as well (including unique category per image).runAutomationDetails.idper file before upload and use API withoutcategoryfield.Acceptance Criteria
Related