OSS projects restricted from code scanning REST APIs #128794
Unanswered
0x73746F66
asked this question in
API and Webhooks
Replies: 1 comment 1 reply
-
Hi @0x73746F66. Thanks for reaching out! The REST API is accessible for public repos and there should not be any plan restrictions. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Bug
Body
I can see everything is working in code-scanning CodeQL configurations and rules are easy to view too.
I can see github-advanced-security doing it's thing, it is an OSS repo so it's a really nice feature.
But how to obtain the SARIF?
The gha has no artifacts, the logs don't indicate SARIF creation at all.
I do see reporting exists, not sure what that means if it is SARIF or not..
I tied to locate the API and believe I have located it
So that
403
Status code is documented asResponse if GitHub Advanced Security is not enabled for this repository
Which makes no sense as this is clearly enabled for this repository..I expected to get this response and retrieve the
id
to follow up with a call to the SARIF API usingapplication/sarif+json
.Because 403 might be due to the GitHub App I checked the permissions:
![app permissions](https://private-user-images.githubusercontent.com/93355168/340147133-c282fc3b-3d60-4a9f-b0e7-0568f8df5287.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTk4OTMsIm5iZiI6MTcxOTc1OTU5MywicGF0aCI6Ii85MzM1NTE2OC8zNDAxNDcxMzMtYzI4MmZjM2ItM2Q2MC00YTlmLWIwZTctMDU2OGY4ZGY1Mjg3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MzAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjMwVDE0NTk1M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTIxOGFjYTM0YTA1NzZmNWEwOWM2ZjQ4NjJjYThmYzI4ZDFjYzBlMjkxZmMzZDU3M2Y0MzM0NWRkMjI5YTExMTEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.4BfKrKSlH_QgIBB9ffH1YVOdLhdrtE5xD4C_epW5Ono)
And the accepted perms are accepted too, including
![accepted perms](https://private-user-images.githubusercontent.com/93355168/340147274-9412f5ba-058a-44de-b486-64950bc4d4f0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTk4OTMsIm5iZiI6MTcxOTc1OTU5MywicGF0aCI6Ii85MzM1NTE2OC8zNDAxNDcyNzQtOTQxMmY1YmEtMDU4YS00NGRlLWI0ODYtNjQ5NTBiYzRkNGYwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MzAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjMwVDE0NTk1M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTcxYzY1NmMzNmM3NjRjYzk0ZTM4YjUwZmJkMzM1MWI4YzZlMTFjYTdmMTQ4N2MxNDhjMDMyYmJhYjlmZWU1MTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.mxRDJic9evdnt1MDAWihny9_DOq0wN5zXL9AgRbF0Fs)
code
for code scanning:The only thing I can assume here is the API is still coded based on the days when code scanning was an enterprise plan only, and therefore the API is buggy for OSS repositories.
As an OSS project, I won't be able to tell someone they have a bug - I am very confident that is the root cause.
If I missed something I am open minded, but it is so far very clearly NOT working as designed due to legacy plan restrictions.
Beta Was this translation helpful? Give feedback.
All reactions