poutine
poutine copied to clipboard
boostsecurityio
Error: Unable to upload "results.sarif" as it is not valid SARIF
Describe the bug
When the GitHub Action job reaches the SARIF upload step, the SARIF upload fails.
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
- instance.runs[0].taxonomies[0].rules is not of a type(s) array
To Reproduce
Here is our job YAML. Notice we run on a https://runs-on.com/ GitHub runner, on Ubuntu 24.04.
poutine:
name: Boost Security.io Poutine
runs-on:
# these are auto-generated
- runs-on=${{ github.run_id }}
- runner=default_ubuntu_24_arm64
- env=${{ vars.RUNS_ON_ENV_DEV }}/region=us-east-1
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Setup self-hosted runner
uses: coveo-platform/[email protected]
- uses: actions/[email protected]
- name: poutine - GitHub Actions SAST
uses: boostsecurityio/poutine-action@61bf0017ee5853beb601609f85c94249b53c26ef
- name: Upload poutine SARIF file
uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
with:
sarif_file: results.sarif
Expected behavior Uploading a SARIF normally works.
Screenshots
Run github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"4fa2a7953630fd2f3fb380f21be14ede0169dd4f","action_started_at":"2025-11-07T18:05:39.980Z","action_version":"3.25.12","analysis_key":".github/workflows/security-ci.yml:poutine","commit_oid":"fcd6c2d5b2c2d8366e13b7415780831017e0ecae","first_party_analysis":false,"job_name":"poutine","job_run_uuid":"","ref":"refs/pull/482/merge","runner_os":"Linux","started_at":"2025-11-07T18:05:39.980Z","status":"starting","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Code Scanning","workflow_run_attempt":2,"workflow_run_id":19173891048,"actions_event_name":"pull_request","runner_available_disk_space_bytes":40131665920,"runner_total_disk_space_bytes":50884108288,"matrix_vars":"null","runner_arch":"ARM64"}
::group::Uploading results
Uploading results
Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
::group::Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
::group::Error details: instance.runs[0].taxonomies[0].rules is not of a type(s) array
Error details: instance.runs[0].taxonomies[0].rules is not of a type(s) array
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
- instance.runs[0].taxonomies[0].rules is not of a type(s) array
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"4fa2a7953630fd2f3fb380f21be14ede0169dd4f","action_started_at":"2025-11-07T18:05:39.980Z","action_version":"3.25.12","analysis_key":".github/workflows/security-ci.yml:poutine","commit_oid":"fcd6c2d5b2c2d8366e13b7415780831017e0ecae","first_party_analysis":false,"job_name":"poutine","job_run_uuid":"","ref":"refs/pull/482/merge","runner_os":"Linux","started_at":"2025-11-07T18:05:39.980Z","status":"user-error","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Code Scanning","workflow_run_attempt":2,"workflow_run_id":19173891048,"actions_event_name":"pull_request","runner_available_disk_space_bytes":40131641344,"runner_total_disk_space_bytes":50884108288,"cause":"Unable to upload \"results.sarif\" as it is not valid SARIF:\n- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer\n- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string\n- instance.runs[0].taxonomies[0].rules is not of a type(s) array","exception":"Error: Unable to upload \"results.sarif\" as it is not valid SARIF:\n- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer\n- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string\n- instance.runs[0].taxonomies[0].rules is not of a type(s) array\n at run (/home/runner/_work/_actions/github/codeql-action/4fa2a7953630fd2f3fb380f21be14ede0169dd4f/lib/upload-sarif-action.js:73:15)\n at async runWrapper (/home/runner/_work/_actions/github/codeql-action/4fa2a7953630fd2f3fb380f21be14ede0169dd4f/lib/upload-sarif-action.js:86:9)","completed_at":"2025-11-07T18:05:40.497Z","matrix_vars":"null","runner_arch":"ARM64"}
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.25.12'
##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/security-ci.yml:poutine'
##[debug]CODEQL_WORKFLOW_STARTED_AT='2025-11-07T18:05:39.980Z'
##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_CONFIGURATION_ERROR'
##[debug]Finishing: Upload poutine SARIF file
Desktop (please complete the following information):
- OS: Ubuntu
- Browser [e.g. chrome, safari]
- Version 24.04
A well working version: https://github.com/boostsecurityio/poutine-action/commit/d10ad5694d09a3e3b233afc1987224ac087a9e55
The non-working version: https://github.com/boostsecurityio/poutine-action/commit/61bf0017ee5853beb601609f85c94249b53c26ef