fix(cli): apply governance suppressions before SARIF export#105
Merged
Conversation
Signed-off-by: PythonWoods <gianluca.catalano@gmail.com>
Signed-off-by: PythonWoods <gianluca.catalano@gmail.com>
Signed-off-by: PythonWoods <gianluca.catalano@gmail.com>
PythonWoods-Dev
force-pushed
the
release/v0.13.1-prep
branch
from
5c5858b to
b4cfc94
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a critical bug in the SARIF formatter where the output bypassed the
per_file_ignoresanddirectory_policiesfiltering.Previously, when running
zenzic check all --format sarif, the raw findings were directly converted to SARIF without calling_apply_per_file_ignores()and_apply_directory_policies(). This exposed all internal suppressed issues to GitHub Advanced Security, effectively breaking the CI pipeline despite the issues being properly managed and suppressed in.zenzic.toml.Changes
_apply_per_file_ignoresand_apply_directory_policies) to the findings array before calling_output_sarif_findingsinsrc/zenzic/cli/_check.py.v0.13.1across all manifests and documentation, includingCITATION.cff.Impact
textandgithub-annotationsformats, respecting the repository's configured technical debt.upload-sarif: 'true'to run without failing on explicitly suppressed files (e.g. legacy blog posts with i18n parity exemptions).