🐛 SAST detect new GitHub app slug for CodeQL (#3591)

* Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> --------- Signed-off-by: martincostello <martin@martincostello.com>
ossf · Oct 20, 2023 · 49c0eed · 49c0eed
1 parent 4b8066a
commit 49c0eed
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 2 deletions.
diff --git a/checks/sast.go b/checks/sast.go
@@ -36,7 +36,12 @@ const CheckSAST = "SAST"
 
 var errInvalid = errors.New("invalid")
 
-var sastTools = map[string]bool{"github-code-scanning": true, "lgtm-com": true, "sonarcloud": true}
+var sastTools = map[string]bool{
+	"github-advanced-security": true,
+	"github-code-scanning":     true,
+	"lgtm-com":                 true,
+	"sonarcloud":               true,
+}
 
 var allowedConclusions = map[string]bool{"success": true, "neutral": true}
 

diff --git a/checks/sast_test.go b/checks/sast_test.go
@@ -60,7 +60,53 @@ func Test_SAST(t *testing.T) {
 			expected:     checker.CheckResult{Score: -1},
 		},
 		{
-			name: "Successful SAST checker should return success status",
+			name: "Successful SAST checker should return success status for github-advanced-security",
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "github-advanced-security",
+					},
+				},
+			},
+			expected: checker.CheckResult{
+				Score: 10,
+			},
+		},
+		{
+			name: "Successful SAST checker should return success status for github-code-scanning",
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "github-code-scanning",
+					},
+				},
+			},
+			expected: checker.CheckResult{
+				Score: 10,
+			},
+		},
+		{
+			name: "Successful SAST checker should return success status for lgtm",
 			commits: []clients.Commit{
 				{
 					AssociatedMergeRequest: clients.PullRequest{
@@ -82,6 +128,29 @@ func Test_SAST(t *testing.T) {
 				Score: 10,
 			},
 		},
+		{
+			name: "Successful SAST checker should return success status for sonarcloud",
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "sonarcloud",
+					},
+				},
+			},
+			expected: checker.CheckResult{
+				Score: 10,
+			},
+		},
 		{
 			name: "Failed SAST checker should return success status",
 			commits: []clients.Commit{