OSS projects restricted from code scanning REST APIs

[0x73746F66]

Select Topic Area

Bug

Body

I can see everything is working in code-scanning CodeQL configurations and rules are easy to view too.

I can see github-advanced-security doing it's thing, it is an OSS repo so it's a really nice feature.

But how to obtain the SARIF?
The gha has no artifacts, the logs don't indicate SARIF creation at all.
I do see reporting exists, not sure what that means if it is SARIF or not..

I tied to locate the API and believe I have located it

*   Trying 20.248.137.49:443...
* Connected to api.github.com (20.248.137.49) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.github.com
*  start date: Mar  7 00:00:00 2024 GMT
*  expire date: Mar  7 23:59:59 2025 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo ECC Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://api.github.com/repos/trivialsec/triage-by-trivial-security/code-scanning/analyses?per_page=100&page=1
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: api.github.com]
* [HTTP/2] [1] [:path: /repos/trivialsec/triage-by-trivial-security/code-scanning/analyses?per_page=100&page=1]
* [HTTP/2] [1] [accept: application/vnd.github+json]
* [HTTP/2] [1] [authorization: token ghu_<redacted>]
* [HTTP/2] [1] [x-github-api-version: 2022-11-28]
* [HTTP/2] [1] [user-agent: Triage-by-Trivial-Security]
> GET /repos/trivialsec/triage-by-trivial-security/code-scanning/analyses?per_page=100&page=1 HTTP/2
> Host: api.github.com
> Accept: application/vnd.github+json
> Authorization: token ghu_<redacted>
> X-GitHub-Api-Version: 2022-11-28
> User-Agent: Triage-by-Trivial-Security
>
< HTTP/2 403
< server: GitHub.com
< date: Mon, 17 Jun 2024 00:19:10 GMT
< content-type: application/json; charset=utf-8
< content-length: 191
< x-oauth-scopes:
< x-accepted-oauth-scopes: admin:repo_hook, delete_repo, read:repo_hook, repo, repo:invite, repo:status, repo_deployment, security_events, write:repo_hook
< x-oauth-client-id: Iv23liW5R5lkjMRgFrWI
< x-github-media-type: github.v3; format=json
< x-accepted-github-permissions: security_events=read
< x-github-api-version-selected: 2022-11-28
< x-ratelimit-limit: 5000
< x-ratelimit-remaining: 4999
< x-ratelimit-reset: 1718587150
< x-ratelimit-used: 1
< x-ratelimit-resource: core
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< vary: Accept-Encoding, Accept, X-Requested-With
< x-github-request-id: E7BA:1DFC62:CF049A:DA67C0:666F80FE
<
* Connection #0 to host api.github.com left intact

{"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/code-scanning/code-scanning#list-code-scanning-analyses-for-a-repository","status":"403"}

So that 403 Status code is documented as Response if GitHub Advanced Security is not enabled for this repository Which makes no sense as this is clearly enabled for this repository..

I expected to get this response and retrieve the id to follow up with a call to the SARIF API using application/sarif+json.

Because 403 might be due to the GitHub App I checked the permissions:

And the accepted perms are accepted too, including code for code scanning:

The only thing I can assume here is the API is still coded based on the days when code scanning was an enterprise plan only, and therefore the API is buggy for OSS repositories.

As an OSS project, I won't be able to tell someone they have a bug - I am very confident that is the root cause.

If I missed something I am open minded, but it is so far very clearly NOT working as designed due to legacy plan restrictions.

[bogdanap]

Hi @0x73746F66.

Thanks for reaching out!
While I agree the docs can be a bit confusing, HTTP 403 is also returned when the authentication token does not have the required permission to access the resources.
This seems to be the case based on the response you received ({"message":"Resource not accessible by integration"}).

The REST API is accessible for public repos and there should not be any plan restrictions.
You just need to make sure the token you're using has the required Code Scanning alerts repository permission and you are correctly authenticating as a GitHub App installation before issuing the request.

[0x73746F66]

The post shows the permissions, which is clearly why I made the assertion you attempted to correct but obviously didn't notice the advice you gave was already considered in my report.