Skip to content

feat(lint): add upload-sarif input to skip GitHub code scanning upload#249

Merged
DevSecNinja merged 2 commits into
mainfrom
feat/lint-skip-sarif-upload
Jul 7, 2026
Merged

feat(lint): add upload-sarif input to skip GitHub code scanning upload#249
DevSecNinja merged 2 commits into
mainfrom
feat/lint-skip-sarif-upload

Conversation

@DevSecNinja

Copy link
Copy Markdown
Owner

Problem

The reusable lint.yml workflow's checkov, trivy, and zizmor jobs always upload their results via github/codeql-action/upload-sarif, which requires GitHub Advanced Security (code scanning). On private repos without GHAS, the upload step fails with:

Error: Resource not accessible by integration

…which fails the whole lint job — even when the scanners themselves found nothing. There was no way to opt out of the SARIF upload, so these three security scanners were effectively unusable on private repos without a GHAS license.

Solution

Add a new upload-sarif input (boolean, default true — fully backward-compatible):

  • true (default): unchanged behavior — scanners emit SARIF and upload to GitHub code scanning.
  • false: the checkov/trivy/zizmor jobs run with console output and gate on their exit codes instead of uploading SARIF. Findings still block the build (when lint-fail-on-error: true); results appear in the job logs instead of the Security tab.

Each job branches internally on the input (single run step), and the Upload SARIF report steps are guarded with if: ${{ ... && inputs.upload-sarif }}.

Notes

  • Callers still grant security-events: write (job permissions are static and can't be conditional), but no upload — and therefore no GHAS — is required when upload-sarif: false.
  • workflow-templates/lint.yml documents the new input.
  • Validated locally: actionlint, yamllint (central config), and zizmor all pass on the edited workflow.

Motivation

Unblocks the private DevSecNinja/second-brain repo (no GHAS) from adopting the org-standard security lint (see DevSecNinja/second-brain#11).

The checkov/trivy/zizmor jobs always uploaded SARIF via
github/codeql-action/upload-sarif, which requires GitHub Advanced
Security. On private repos without GHAS the upload fails with "Resource
not accessible by integration", breaking the whole lint job.

Add an `upload-sarif` input (default true, fully backward-compatible).
When set to false, the three scanners run with console output and gate on
their exit codes instead of uploading SARIF, so private repos without GHAS
can still enforce security linting.
@DevSecNinja DevSecNinja merged commit 30660c7 into main Jul 7, 2026
16 checks passed
@DevSecNinja DevSecNinja deleted the feat/lint-skip-sarif-upload branch July 7, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant