Description
Below is the workflow file I am using, which is trying to run kubescape/[email protected] producing results.sarif and uploading it to Github Code Scanning via github/codeql-action/upload-sarif@v3, but the sarif file is empty - can be seen in the job logs screenshot attached below -
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v3
- uses: kubescape/[email protected]
with:
format: sarif
outputFile: results.sarif
files: "."
verbose: true
severityThreshold: critical
- name: List repository files
run: ls -laR
- name: Debug SARIF Contents
run: |
if [ -f results.sarif ]; then
cat results.sarif
else
echo "No SARIF file generated"
fi
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Shows empty SARIF in the jobs
For now I am running Kubescape directly as a binary (which seems to work) in the job to circumvent the issue and publish results to Github Code Scanning. Working workflow file -
- name: Install Kubescape
run: |
KUBESCAPE_DIR="$HOME/kubescape-bin"
mkdir -p "$KUBESCAPE_DIR"
LATEST_VERSION=$(curl -s https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name)
curl -sL "https://github.com/kubescape/kubescape/releases/download/${LATEST_VERSION}/kubescape-ubuntu-latest" -o "$KUBESCAPE_DIR/kubescape"
chmod +x "$KUBESCAPE_DIR/kubescape"
echo "$KUBESCAPE_DIR" >> $GITHUB_PATH
- name: Run Kubescape scan
run: |
kubescape scan . \
--format sarif \
--output results.sarif