.github/workflows/codeql.yml: use filter-sarif to filter meson-private

There is a severe number of false-positive in code scanning caused by inspecting meson-internal test files like 'build/meson-private/tmpzb46osmq/testfile.c'. As a workaround, use the 'filter-sarif' action to filter out these results before uploading the SARIF (Static Analysis Results Interchange Format). This PR was inspired by rauc#1346 and the example from https://github.com/advanced-security/filter-sarif. Signed-off-by: Enrico Joerns <[email protected]>
ejoerns · Feb 29, 2024 · 978998c · 978998c
1 parent 59d62f9
commit 978998c
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -41,3 +41,19 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:cpp"
+          upload: false
+          output: sarif-results
+
+      - name: Filter out meson-internal test files
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            -build/meson-private/**/testfile.c
+          input: sarif-results/cpp.sarif
+          output: sarif-results/cpp.sarif
+
+      - name: Upload CodeQL results to code scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results/cpp.sarif
+          category: "/language:cpp"