Conversation
Summary of ChangesHello @MikeeBuilds, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces SARIF output, a valuable feature for integrating with code scanning platforms like GitHub Advanced Security. The implementation is well-structured, including a dedicated helper script for SARIF conversion and comprehensive documentation. My review focuses on a few areas for improvement: removing an unnecessary variable export, refactoring duplicated logic for better maintainability, cleaning up some dead code, and aligning the SARIF output with the provided documentation.
| "results": ( | ||
| . | map({ | ||
| "ruleId": .id, | ||
| "level": ( | ||
| if .severity == "critical" then "error" | ||
| elif .severity == "warn" then "warning" | ||
| elif .severity == "info" then "note" | ||
| elif .severity == "ok" then "none" | ||
| else "note" | ||
| end | ||
| ), | ||
| "message": { | ||
| "text": .title, | ||
| "markdown": ( | ||
| if .remediation != "" then | ||
| (.description + "\n\n**Remediation:** " + .remediation) | ||
| else | ||
| .description | ||
| end | ||
| ) | ||
| }, | ||
| "properties": { | ||
| "evidence": .evidence, | ||
| "auto_fix": .auto_fix | ||
| } | ||
| }) | ||
| ) |
There was a problem hiding this comment.
The current jq query includes findings with ok severity in the SARIF output, mapping their level to none. This contradicts the documentation in docs/github-actions-sarif.md, which states: "ok → Not included in SARIF output (only findings)".
To align the implementation with the documentation and produce a cleaner SARIF file, you should filter out these ok findings entirely. This also allows for simplifying the level-mapping logic within the query.
"results": [
.[] | select(.severity != "ok") | {
"ruleId": .id,
"level": (
if .severity == "critical" then "error"
elif .severity == "warn" then "warning"
else "note"
end
),
"message": {
"text": .title,
"markdown": (
if .remediation != "" then
(.description + "\n\n**Remediation:** " + .remediation)
else
.description
end
)
},
"properties": {
"evidence": .evidence,
"auto_fix": .auto_fix
}
}
]
clawpinch.sh
Outdated
| export CLAWPINCH_DEEP="$DEEP" | ||
| export CLAWPINCH_SHOW_FIX="$SHOW_FIX" | ||
| export CLAWPINCH_CONFIG_DIR="$CONFIG_DIR" | ||
| export SARIF_OUTPUT |
There was a problem hiding this comment.
The SARIF_OUTPUT variable is used only within this main script to control output flow and does not need to be exported. Exporting variables that are not needed by child processes can pollute their environment and potentially lead to unexpected behavior if a child script uses a variable with the same name for a different purpose.
| export SARIF_OUTPUT | |
| # SARIF_OUTPUT is used only in this script and does not need to be exported. |
clawpinch.sh
Outdated
| # ─── Banner ────────────────────────────────────────────────────────────────── | ||
|
|
||
| if [[ "$JSON_OUTPUT" -eq 0 ]] && [[ "$QUIET" -eq 0 ]]; then | ||
| if [[ "$JSON_OUTPUT" -eq 0 ]] && [[ "$SARIF_OUTPUT" -eq 0 ]] && [[ "$QUIET" -eq 0 ]]; then |
There was a problem hiding this comment.
This condition [[ "$JSON_OUTPUT" -eq 0 ]] && [[ "$SARIF_OUTPUT" -eq 0 ]] && [[ "$QUIET" -eq 0 ]] is repeated 5 times in the script (here and on lines 159, 180, 205, 214). To improve readability and maintainability, consider refactoring this into a helper function or a single variable.
For example, you could define a variable after argument parsing:
# Determine if we should print the rich terminal UI
local should_print_ui=1
if [[ "$JSON_OUTPUT" -eq 1 || "$SARIF_OUTPUT" -eq 1 || "$QUIET" -eq 1 ]]; then
should_print_ui=0
fiThen you could replace all occurrences of the long condition with a simpler if [[ "$should_print_ui" -eq 1 ]]; then. This would make the code cleaner and easier to modify in the future.
scripts/helpers/sarif.sh
Outdated
| _sarif_level() { | ||
| case "$1" in | ||
| critical) echo "error" ;; | ||
| warn) echo "warning" ;; | ||
| info) echo "note" ;; | ||
| ok) echo "none" ;; | ||
| *) echo "note" ;; | ||
| esac | ||
| } |
There was a problem hiding this comment.
This _sarif_level shell function is defined but never used. The mapping from the tool's severity levels to SARIF levels is handled directly inside the jq query on lines 106-112. This function is dead code and should be removed to keep the script clean.
Greptile OverviewGreptile SummaryThis PR adds a Main integration point is Issues needing attention before merge:
Confidence Score: 4/5
Important Files Changed
Sequence DiagramsequenceDiagram
participant U as User/CI
participant CP as clawpinch.sh
participant SC as Scanners
participant S as sarif.sh
participant JQ as jq
participant GH as upload-sarif
U->>CP: Run with --sarif
CP->>SC: Execute scanners
SC-->>CP: Findings JSON arrays
CP->>JQ: Sort/filter findings JSON
JQ-->>CP: SORTED_FINDINGS
CP->>S: convert_to_sarif(SORTED_FINDINGS)
S->>JQ: Build SARIF document
JQ-->>S: SARIF JSON
S-->>CP: SARIF JSON (stdout)
CP-->>U: SARIF JSON output
U->>GH: Upload SARIF file
GH-->>U: Code Scanning alerts
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "results": ( | ||
| . | map({ | ||
| "ruleId": .id, | ||
| "level": ( | ||
| if .severity == "critical" then "error" | ||
| elif .severity == "warn" then "warning" | ||
| elif .severity == "info" then "note" | ||
| elif .severity == "ok" then "none" | ||
| else "note" | ||
| end | ||
| ), | ||
| "message": { | ||
| "text": .title, | ||
| "markdown": ( | ||
| if .remediation != "" then | ||
| (.description + "\n\n**Remediation:** " + .remediation) | ||
| else | ||
| .description | ||
| end | ||
| ) | ||
| }, | ||
| "properties": { | ||
| "evidence": .evidence, | ||
| "auto_fix": .auto_fix | ||
| } | ||
| }) | ||
| ) |
There was a problem hiding this comment.
SARIF results missing locations field - GitHub Code Scanning won't show inline file annotations
Current output only includes messages without file/line mappings. For GitHub to display findings inline on specific files, each result needs a locations array:
| "results": ( | |
| . | map({ | |
| "ruleId": .id, | |
| "level": ( | |
| if .severity == "critical" then "error" | |
| elif .severity == "warn" then "warning" | |
| elif .severity == "info" then "note" | |
| elif .severity == "ok" then "none" | |
| else "note" | |
| end | |
| ), | |
| "message": { | |
| "text": .title, | |
| "markdown": ( | |
| if .remediation != "" then | |
| (.description + "\n\n**Remediation:** " + .remediation) | |
| else | |
| .description | |
| end | |
| ) | |
| }, | |
| "properties": { | |
| "evidence": .evidence, | |
| "auto_fix": .auto_fix | |
| } | |
| }) | |
| ) | |
| "results": ( | |
| . | map({ | |
| "ruleId": .id, | |
| "level": ( | |
| if .severity == "critical" then "error" | |
| elif .severity == "warn" then "warning" | |
| elif .severity == "info" then "note" | |
| elif .severity == "ok" then "none" | |
| else "note" | |
| end | |
| ), | |
| "message": { | |
| "text": .title, | |
| "markdown": ( | |
| if .remediation != "" then | |
| (.description + "\n\n**Remediation:** " + .remediation) | |
| else | |
| .description | |
| end | |
| ) | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "." | |
| } | |
| } | |
| } | |
| ], | |
| "properties": { | |
| "evidence": .evidence, | |
| "auto_fix": .auto_fix | |
| } | |
| }) | |
| ) |
This maps all findings to the repository root. For more precise annotations, ClawPinch findings would need to include file paths (e.g., from $OPENCLAW_CONFIG evidence).
Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/helpers/sarif.sh
Line: 103:129
Comment:
SARIF results missing `locations` field - GitHub Code Scanning won't show inline file annotations
Current output only includes messages without file/line mappings. For GitHub to display findings inline on specific files, each result needs a `locations` array:
```suggestion
"results": (
. | map({
"ruleId": .id,
"level": (
if .severity == "critical" then "error"
elif .severity == "warn" then "warning"
elif .severity == "info" then "note"
elif .severity == "ok" then "none"
else "note"
end
),
"message": {
"text": .title,
"markdown": (
if .remediation != "" then
(.description + "\n\n**Remediation:** " + .remediation)
else
.description
end
)
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "."
}
}
}
],
"properties": {
"evidence": .evidence,
"auto_fix": .auto_fix
}
})
)
```
This maps all findings to the repository root. For more precise annotations, ClawPinch findings would need to include file paths (e.g., from `$OPENCLAW_CONFIG` evidence).
How can I resolve this? If you propose a fix, please make it concise.
MikeeBuilds
force-pushed
the
auto-claude/009-sarif-output-format
branch
from
a16ea71 to
0fffd6b
Compare
…, add locations, refactor UI condition Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
All review feedback has been addressed:
@gemini-code-assist @greptile-apps — requesting re-review. Thanks! |
There was a problem hiding this comment.
Code Review
This pull request introduces SARIF output format for scan results, enabling integration with tools like GitHub Advanced Security. The changes include adding a --sarif flag, a new helper script for SARIF conversion, and comprehensive documentation for GitHub Actions integration. The implementation is well-structured, using a dedicated script for formatting and refactoring the main script to handle different output modes cleanly. My review focuses on improving the generated SARIF output for better usability. I've identified that the help URIs for rules are incorrect, and I've provided suggestions to fix them in both the generation script and the documentation.
scripts/helpers/sarif.sh
Outdated
| fullDescription: { | ||
| text: .description | ||
| }, | ||
| helpUri: ($tool_uri + "#" + (.id | ascii_downcase)), |
There was a problem hiding this comment.
The generated helpUri points to the main repository page, which doesn't have anchors for check IDs, resulting in a broken link. It should point to the check-catalog.md file where the check details are documented.
To make this link work correctly, you would also need to add HTML anchors to the headers in references/check-catalog.md, for example: ### <a name="chk-cfg-001"></a>CHK-CFG-001 -- ....
This change updates the URI to point to the correct file. The anchor will work if you add the corresponding lowercase name attributes to the headers in the catalog.
| helpUri: ($tool_uri + "#" + (.id | ascii_downcase)), | |
| helpUri: ($tool_uri + "/blob/main/references/check-catalog.md#" + (.id | ascii_downcase)), |
docs/github-actions-sarif.md
Outdated
| "shortDescription": { | ||
| "text": "Gateway listening on 0.0.0.0" | ||
| }, | ||
| "helpUri": "https://github.com/MikeeBuilds/clawpinch#chk-cfg-001", |
There was a problem hiding this comment.
The example helpUri here points to a non-existent anchor on the main repository page. This should be updated to reflect the correct link to the check documentation in references/check-catalog.md. This will prevent confusion for users looking at the example SARIF output and will align with the fix in sarif.sh.
| "helpUri": "https://github.com/MikeeBuilds/clawpinch#chk-cfg-001", | |
| "helpUri": "https://github.com/MikeeBuilds/clawpinch/blob/main/references/check-catalog.md#chk-cfg-001", |
| . | [.[] | select(.severity != "ok")] | map({ | ||
| id: .id, | ||
| name: .title, | ||
| shortDescription: { | ||
| text: .title | ||
| }, | ||
| fullDescription: { | ||
| text: .description | ||
| }, | ||
| helpUri: ($tool_uri + "#" + (.id | ascii_downcase)), | ||
| properties: { | ||
| category: ( | ||
| if .id | startswith("CHK-CFG-") then "configuration" | ||
| elif .id | startswith("CHK-SEC-") then "secrets" | ||
| elif .id | startswith("CHK-NET-") then "network" | ||
| elif .id | startswith("CHK-SKL-") then "skills" | ||
| elif .id | startswith("CHK-PRM-") then "permissions" | ||
| elif .id | startswith("CHK-CRN-") then "cron" | ||
| elif .id | startswith("CHK-CVE-") then "cve" | ||
| elif .id | startswith("CHK-SUP-") then "supply-chain" | ||
| else "general" | ||
| end | ||
| ) | ||
| } | ||
| }) | ||
| | unique_by(.id) | ||
| ) |
There was a problem hiding this comment.
Rules missing defaultConfiguration.level field
The SARIF spec and your own documentation (line 308-310 in docs/github-actions-sarif.md) show that rules should include defaultConfiguration.level, but this implementation doesn't include it. While not strictly required by SARIF v2.1.0, this field helps tools like GitHub Code Scanning understand the default severity of each rule.
| . | [.[] | select(.severity != "ok")] | map({ | |
| id: .id, | |
| name: .title, | |
| shortDescription: { | |
| text: .title | |
| }, | |
| fullDescription: { | |
| text: .description | |
| }, | |
| helpUri: ($tool_uri + "#" + (.id | ascii_downcase)), | |
| properties: { | |
| category: ( | |
| if .id | startswith("CHK-CFG-") then "configuration" | |
| elif .id | startswith("CHK-SEC-") then "secrets" | |
| elif .id | startswith("CHK-NET-") then "network" | |
| elif .id | startswith("CHK-SKL-") then "skills" | |
| elif .id | startswith("CHK-PRM-") then "permissions" | |
| elif .id | startswith("CHK-CRN-") then "cron" | |
| elif .id | startswith("CHK-CVE-") then "cve" | |
| elif .id | startswith("CHK-SUP-") then "supply-chain" | |
| else "general" | |
| end | |
| ) | |
| } | |
| }) | |
| | unique_by(.id) | |
| ) | |
| "rules": ( | |
| . | [.[] | select(.severity != "ok")] | map({ | |
| id: .id, | |
| name: .title, | |
| shortDescription: { | |
| text: .title | |
| }, | |
| fullDescription: { | |
| text: .description | |
| }, | |
| helpUri: ($tool_uri + "#" + (.id | ascii_downcase)), | |
| defaultConfiguration: { | |
| level: ( | |
| if .severity == "critical" then "error" | |
| elif .severity == "warn" then "warning" | |
| elif .severity == "info" then "note" | |
| else "note" | |
| end | |
| ) | |
| }, | |
| properties: { | |
| category: ( | |
| if .id | startswith("CHK-CFG-") then "configuration" | |
| elif .id | startswith("CHK-SEC-") then "secrets" | |
| elif .id | startswith("CHK-NET-") then "network" | |
| elif .id | startswith("CHK-SKL-") then "skills" | |
| elif .id | startswith("CHK-PRM-") then "permissions" | |
| elif .id | startswith("CHK-CRN-") then "cron" | |
| elif .id | startswith("CHK-CVE-") then "cve" | |
| elif .id | startsWith("CHK-SUP-") then "supply-chain" | |
| else "general" | |
| end | |
| ) | |
| } | |
| }) | |
| | unique_by(.id) | |
| ) |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/helpers/sarif.sh
Line: 62:88
Comment:
Rules missing `defaultConfiguration.level` field
The SARIF spec and your own documentation (line 308-310 in `docs/github-actions-sarif.md`) show that rules should include `defaultConfiguration.level`, but this implementation doesn't include it. While not strictly required by SARIF v2.1.0, this field helps tools like GitHub Code Scanning understand the default severity of each rule.
```suggestion
"rules": (
. | [.[] | select(.severity != "ok")] | map({
id: .id,
name: .title,
shortDescription: {
text: .title
},
fullDescription: {
text: .description
},
helpUri: ($tool_uri + "#" + (.id | ascii_downcase)),
defaultConfiguration: {
level: (
if .severity == "critical" then "error"
elif .severity == "warn" then "warning"
elif .severity == "info" then "note"
else "note"
end
)
},
properties: {
category: (
if .id | startswith("CHK-CFG-") then "configuration"
elif .id | startswith("CHK-SEC-") then "secrets"
elif .id | startswith("CHK-NET-") then "network"
elif .id | startswith("CHK-SKL-") then "skills"
elif .id | startswith("CHK-PRM-") then "permissions"
elif .id | startswith("CHK-CRN-") then "cron"
elif .id | startswith("CHK-CVE-") then "cve"
elif .id | startsWith("CHK-SUP-") then "supply-chain"
else "general"
end
)
}
})
| unique_by(.id)
)
```
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.…evel to SARIF rules Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Round 2 feedback addressed:
@gemini-code-assist @greptile-apps — requesting re-review. Thanks! |
There was a problem hiding this comment.
Code Review
This pull request introduces SARIF output, a valuable feature for integrating with security dashboards in platforms like GitHub. The implementation is well-structured, adding a dedicated helper script for SARIF conversion and comprehensive documentation with excellent GitHub Actions examples. My review includes a fix for a bug that generates broken help links in the SARIF report, suggestions to resolve version inconsistencies, and recommendations to make the documentation examples more robust. Overall, this is a strong contribution.
scripts/helpers/sarif.sh
Outdated
| fullDescription: { | ||
| text: .description | ||
| }, | ||
| helpUri: ($tool_uri + "/blob/main/references/check-catalog.md#" + (.id | ascii_downcase)), |
There was a problem hiding this comment.
The current jq expression to generate the helpUri anchor (.id | ascii_downcase) will result in broken links. GitHub's anchor generation for markdown headers is more complex (e.g., for ### CHK-CFG-001 -- ..., the anchor is #chk-cfg-001----...). Linking to the document itself is a more robust solution than generating a broken fragment link, allowing users to search for the check ID on the page.
| helpUri: ($tool_uri + "/blob/main/references/check-catalog.md#" + (.id | ascii_downcase)), | |
| helpUri: ($tool_uri + "/blob/main/references/check-catalog.md"), |
scripts/helpers/sarif.sh
Outdated
| local tool_version="1.2.0" | ||
| local package_json | ||
| package_json="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)/package.json" | ||
| if [[ -f "$package_json" ]]; then | ||
| tool_version="$(jq -r '.version // "1.2.0"' "$package_json" 2>/dev/null || echo "1.2.0")" | ||
| fi |
There was a problem hiding this comment.
The fallback version 1.2.0 is hardcoded here and is inconsistent with the version in package.json (1.2.1). This will cause an incorrect tool version to be reported in the SARIF file if reading package.json fails. Please update this to 1.2.1 for consistency.
| local tool_version="1.2.0" | |
| local package_json | |
| package_json="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)/package.json" | |
| if [[ -f "$package_json" ]]; then | |
| tool_version="$(jq -r '.version // "1.2.0"' "$package_json" 2>/dev/null || echo "1.2.0")" | |
| fi | |
| # Get tool version from package.json (fallback to 1.2.1) | |
| local tool_version="1.2.1" | |
| local package_json | |
| package_json="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)/package.json" | |
| if [[ -f "$package_json" ]]; then | |
| tool_version="$(jq -r '.version // "1.2.1"' "$package_json" 2>/dev/null || echo "1.2.1")" | |
| fi |
docs/github-actions-sarif.md
Outdated
| npx clawpinch --sarif --no-interactive > clawpinch.sarif | ||
|
|
||
| # Check if any critical findings exist | ||
| if jq -e '.runs[0].results[] | select(.level == "error")' clawpinch.sarif > /dev/null; then |
There was a problem hiding this comment.
To make this example more robust, consider using optional chaining (?) in the jq command. This prevents the step from failing if the SARIF file is valid but doesn't contain a results array (e.g., if no findings were produced), which is a good practice for CI workflows.
| if jq -e '.runs[0].results[] | select(.level == "error")' clawpinch.sarif > /dev/null; then | |
| if jq -e '.runs[0]?.results[]? | select(.level == "error")' clawpinch.sarif > /dev/null; then |
docs/github-actions-sarif.md
Outdated
| "tool": { | ||
| "driver": { | ||
| "name": "ClawPinch", | ||
| "version": "1.2.0", |
There was a problem hiding this comment.
The tool version in this example SARIF output is 1.2.0, but the current version in package.json is 1.2.1. Please update the example to reflect the correct version for consistency.
| "version": "1.2.0", | |
| "version": "1.2.1", |
docs/github-actions-sarif.md
Outdated
| npx clawpinch --sarif --no-interactive > clawpinch.sarif | ||
|
|
||
| # Count critical findings | ||
| CRITICAL=$(jq '[.runs[0].results[] | select(.level == "error")] | length' clawpinch.sarif) |
There was a problem hiding this comment.
To make this example more robust, consider using optional chaining (?) in the jq command. This will prevent the step from failing if the SARIF file is valid but contains no results array, for example, if no findings were produced.
| CRITICAL=$(jq '[.runs[0].results[] | select(.level == "error")] | length' clawpinch.sarif) | |
| CRITICAL=$(jq '[.runs[0]?.results[]? | select(.level == "error")] | length' clawpinch.sarif) |
…chaining - Update hardcoded version fallback from 1.2.0 to 1.2.1 to match package.json - Remove broken ascii_downcase fragment anchor from helpUri, point to check-catalog.md without fragment - Use jq optional chaining (.runs[0]?.results[]?) in CI examples for robustness when SARIF has empty/missing runs - Update example SARIF version and helpUri in docs to match code changes - Greptile comment #7 (defaultConfiguration.level) already addressed in round 2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Round 3 review feedback addressed in 4a83c29:
@gemini-code-assist @greptile-apps — Requesting re-review. |
There was a problem hiding this comment.
Code Review
This pull request introduces SARIF output format support via a --sarif flag, enabling integration with code scanning tools like GitHub Advanced Security. The implementation includes a new helper script sarif.sh to convert findings to SARIF format and extensive documentation in github-actions-sarif.md on how to use it with GitHub Actions. The changes in clawpinch.sh to support the new flag and refactor the UI display logic are well-done. My review focuses on the new documentation, pointing out a few areas where the examples and descriptions could be more closely aligned with the implementation to avoid user confusion.
docs/github-actions-sarif.md
Outdated
|
|
||
| Once uploaded, security findings appear in pull requests: | ||
|
|
||
| - **Code annotations**: Findings appear as inline comments on the relevant files |
There was a problem hiding this comment.
This documentation states that findings will appear as inline comments. However, the current SARIF generation implementation in scripts/helpers/sarif.sh sets the location for all findings to the repository root ("uri": ".") without specific file or line number information. This means that GitHub will likely show findings at the repository level in the 'Security' tab, but not as inline annotations on the relevant source code files. To avoid user confusion, it would be best to update this documentation to reflect the current behavior. For true inline annotations, the tool's finding data model would need to be extended to include file and line information, which could be a larger future enhancement.
docs/github-actions-sarif.md
Outdated
| "tool": { | ||
| "driver": { | ||
| "name": "ClawPinch", | ||
| "version": "1.2.1", |
There was a problem hiding this comment.
The tool version in this example is hardcoded as 1.2.1. The sarif.sh script dynamically determines the version from package.json. To prevent this documentation from becoming outdated, consider using a placeholder like <clawpinch-version> and mentioning that it's dynamically populated.
| "version": "1.2.1", | |
| "version": "<clawpinch-version>", |
| "message": { | ||
| "text": "Gateway listening on 0.0.0.0 - restricts to localhost (127.0.0.1)", | ||
| "markdown": "**Finding:** Gateway listening on 0.0.0.0\n\n**Fix:** Set gateway.host to '127.0.0.1' in openclaw.json" | ||
| } |
There was a problem hiding this comment.
The example message object here doesn't quite match the structure generated by scripts/helpers/sarif.sh. The script generates a markdown message combining the finding's description and remediation fields, like (.description + "\n\n**Remediation:** " + .remediation). This example seems to use the title for the finding text. Aligning the example with the actual output would make the documentation more accurate.
| "message": { | |
| "text": "Gateway listening on 0.0.0.0 - restricts to localhost (127.0.0.1)", | |
| "markdown": "**Finding:** Gateway listening on 0.0.0.0\n\n**Fix:** Set gateway.host to '127.0.0.1' in openclaw.json" | |
| } | |
| "message": { | |
| "text": "Gateway listening on 0.0.0.0", | |
| "markdown": "The gateway `bindAddress` is set to `0.0.0.0`, exposing it on all network interfaces. Any device on the local network (or the internet, if port-forwarded) can connect.\n\n**Remediation:** Set `gateway.bindAddress` to `127.0.0.1:<port>` in `openclaw.json`." | |
| } |
- Update PR results section: findings appear in Security tab as
repository-level alerts, not as inline code annotations, because
the SARIF location uses repository root ("uri": ".") without
file/line info
- Replace hardcoded version "1.2.1" with placeholder
<clawpinch-version> and note it is dynamically read from
package.json at runtime
- Fix example message object to match sarif.sh output: "text" holds
the short finding title, "markdown" holds description + remediation
in the format (.description + "\n\n**Remediation:** " + .remediation)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Addressed all 3 review comments from @gemini-code-assist in commit f5a6455:
|
|
Thanks for the update, @MikeeBuilds! I've reviewed the changes in commit
Great work on these improvements! |
| . | [.[] | select(.severity != "ok")] | map({ | ||
| "ruleId": .id, | ||
| "level": ( |
There was a problem hiding this comment.
SARIF includes null fields
properties.evidence and properties.auto_fix are emitted as JSON null when the input finding has those fields set to null (e.g., scanners using emit_finding ... "$evidence" with an empty/unset var typically produce empty string, but any custom scanner could output null). SARIF property values are expected to be strings/objects/arrays; null here is likely to break validation or downstream tooling. Consider normalizing with (.evidence // "") and (.auto_fix // "") (and similarly guarding .remediation comparisons against null) before constructing message.markdown and properties.
Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/helpers/sarif.sh
Line: 101:103
Comment:
**SARIF includes `null` fields**
`properties.evidence` and `properties.auto_fix` are emitted as JSON `null` when the input finding has those fields set to null (e.g., scanners using `emit_finding ... "$evidence"` with an empty/unset var typically produce empty string, but any custom scanner could output null). SARIF property values are expected to be strings/objects/arrays; `null` here is likely to break validation or downstream tooling. Consider normalizing with `(.evidence // "")` and `(.auto_fix // "")` (and similarly guarding `.remediation` comparisons against null) before constructing `message.markdown` and `properties`.
How can I resolve this? If you propose a fix, please make it concise.| ## SARIF Output Format Reference | ||
|
|
||
| ClawPinch produces SARIF v2.1.0 output with the following structure. The `version` field is dynamically populated from `package.json` at runtime: | ||
|
|
||
| ```json | ||
| { | ||
| "version": "2.1.0", | ||
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", |
There was a problem hiding this comment.
Schema URL not stable
The $schema value in the example uses raw.githubusercontent.com/oasis-tcs/.../master/..., which can change over time and may cause validator drift. Since this doc is meant to be copied verbatim into CI troubleshooting, it should reference a specific tag/commit (or omit $schema entirely) to keep the guidance deterministic.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: docs/github-actions-sarif.md
Line: 275:282
Comment:
**Schema URL not stable**
The `$schema` value in the example uses `raw.githubusercontent.com/oasis-tcs/.../master/...`, which can change over time and may cause validator drift. Since this doc is meant to be copied verbatim into CI troubleshooting, it should reference a specific tag/commit (or omit `$schema` entirely) to keep the guidance deterministic.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.1 participant
Add a --sarif flag that outputs scan results in SARIF (Static Analysis Results Interchange Format) v2.1.0. This enables direct integration with GitHub Advanced Security, Azure DevOps, and other SARIF-compatible code scanning platforms. Findings map to SARIF result objects with rule metadata, severity levels, and remediation guidance.