ci: Report results from CIFuzz using SARIF

Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs.
2024-07-22 02:34:54 +00:00 · 2023-06-05 01:37:34 -04:00 · 2023-06-05 01:37:34 -04:00 · 56595a3730
parent 150231d25d
commit 56595a3730
1 changed files with 12 additions and 0 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -35,6 +35,9 @@ jobs:
        include:
          - sanitizer: address
            architecture: i386
+    permissions:
+      security-events: write
+
    steps:
      - name: Build Fuzzers (${{ matrix.sanitizer }})
        id: build
@ -47,6 +50,7 @@ jobs:
          keep-unaffected-fuzz-targets: true
          sanitizer: ${{ matrix.sanitizer }}
          architecture: ${{ matrix.architecture }}
+          output-sarif: true
      - name: Run Fuzzers (${{ matrix.sanitizer }})
        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
        with:
@ -54,9 +58,17 @@ jobs:
          fuzz-seconds: 600
          dry-run: false
          sanitizer: ${{ matrix.sanitizer }}
+          output-sarif: true
      - name: Upload Crash
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
        if: failure() && steps.build.outcome == 'success'
        with:
          name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
          path: ./out/artifacts
+      - name: Upload Sarif
+        if: always() && steps.build.outcome == 'success'
+        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cifuzz-sarif/results.sarif
+          checkout_path: cifuzz-sarif