Summary
The full-project SARIF generation path in the composite action appears to assume a scan-project schema that does not match current tool output.
Current action logic expects nested files[].issues[], while scan-project currently returns a flat issues array (plus scanned_files, by_file, etc.). This can lead to empty/incomplete SARIF in full scan mode.
Affected Files
.github/actions/security-scan/action.ymlsrc/tools/scan-project.js (output shape reference)
Reproduction
- Run action with
scan_diff_only: false.
- Generate SARIF from
scan-project output.
- Observe SARIF may contain no results despite findings.
Expected
- SARIF generation should map from the actual
scan-project output shape.
- Findings from full-project scan should appear in uploaded SARIF.
Suggested Fix
- Update action SARIF conversion to consume current
scan-project output (issues[] flat list with file metadata).
- Add a regression test fixture for project JSON -> SARIF conversion.
Acceptance Criteria
- Full-project mode produces non-empty SARIF when findings exist.
- SARIF result count matches
issues_count for representative fixtures.
Summary
The full-project SARIF generation path in the composite action appears to assume a
scan-projectschema that does not match current tool output.Current action logic expects nested
files[].issues[], whilescan-projectcurrently returns a flatissuesarray (plusscanned_files,by_file, etc.). This can lead to empty/incomplete SARIF in full scan mode.Affected Files
.github/actions/security-scan/action.ymlsrc/tools/scan-project.js(output shape reference)Reproduction
scan_diff_only: false.scan-projectoutput.Expected
scan-projectoutput shape.Suggested Fix
scan-projectoutput (issues[]flat list with file metadata).Acceptance Criteria
issues_countfor representative fixtures.