This action take the Veracode pipeline scan json result file as an input and transform it to a SARIF format.

Add the -jo true to your Pipeline Scan command to generate the JSON result file. See, details for the other pipeline scan attributes

If your github account allows code scanning, you can then upload the sarif file to show the scan findings

See - Veracode pipeline scan example in github action

Required The path to the pipeline json result file.

Optional The path to the SARIF format result file.

Optional In some compilations, the path representation is not the same as the repository root folder. In order to add the ability to navigate back from the scanning issue to the file in the repository, a base path to the source is required. The input format is regex base ("[search pattern]:[replace with pattern]").

Optional The conversion rule from Veracode finding levels to Github levels.

• Veracode levels: 5 = Very High, 4 = High, 3 = Medium, 2 = Low, 1 = Very Low, 0 = informational.
• GitHub levels: error, warning, note.

Example values:

• "4:3:0" => High and Very high will show as error, Medium as warning and the rest as note
• "3:2:1" => Medium and above will show as error, Low as warning, Very Low as note, and informational will not show at all

Note: Only error level will fail pull request check

- name: Convert pipeline scan output to SARIF format
  id: convert   
  uses: Lerer/[email protected]
  with:
    pipeline-results-json: results.json
    output-results-sarif: veracode-results.sarif
    source-base-path-1: "^com/veracode:src/main/java/com/veracode"
    source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"
    finding-rule-level: "3:1:0"
      
- name: upload sarif file to repository
  uses: github/codeql-action/upload-sarif@v1
  with: # Path to SARIF file relative to the root of the repository
    sarif_file: veracode-results.sarif