( scanResponse: ScanResponse, inputs: ActionInputs, context: PullRequestContext, )
| 632 | } |
| 633 | |
| 634 | async function handleScanResponse( |
| 635 | scanResponse: ScanResponse, |
| 636 | inputs: ActionInputs, |
| 637 | context: PullRequestContext, |
| 638 | ): Promise<void> { |
| 639 | const { comments, commentsPosted, review, skipReason } = scanResponse; |
| 640 | const hasSarifFindings = hasSarifReportableFindings(scanResponse); |
| 641 | const hasPrFindings = hasPrPostableFindings(comments); |
| 642 | |
| 643 | // A skipped scan is not a clean scan. Do not upload empty SARIF results that could clear |
| 644 | // existing Code Scanning findings or imply that authorization-gated work ran. Mixed |
| 645 | // responses still need processing when a finding can be surfaced through SARIF or PR |
| 646 | // comments, because those output channels intentionally support different locations. |
| 647 | if (skipReason && !hasSarifFindings && !hasPrFindings) { |
| 648 | core.info(`🔀 Scan skipped: ${skipReason}`); |
| 649 | return; |
| 650 | } |
| 651 | |
| 652 | if (skipReason) { |
| 653 | // Carry the skipReason into the warning: a contradictory response (skip + real |
| 654 | // findings) signals a server-side bug, and the reason text is the operator's only |
| 655 | // clue to which path produced it. |
| 656 | core.warning( |
| 657 | `Scan response included findings alongside a skipReason ("${skipReason}"); processing findings.`, |
| 658 | ); |
| 659 | } |
| 660 | |
| 661 | core.info(`📊 Found ${comments.length} comments${review ? ' and review summary' : ''}`); |
| 662 | |
| 663 | // A mixed skip with only PR-postable findings must not upload an empty SARIF run. |
| 664 | if (!skipReason || hasSarifFindings) { |
| 665 | emitConfiguredSarifOutput(scanResponse, inputs); |
| 666 | } |
| 667 | |
| 668 | if ((hasPrFindings || review) && commentsPosted === false) { |
| 669 | await postFallbackComments( |
| 670 | inputs.githubToken, |
| 671 | context, |
| 672 | comments, |
| 673 | review, |
| 674 | inputs.minimumSeverity, |
| 675 | ); |
| 676 | return; |
| 677 | } |
| 678 | |
| 679 | if (comments.length > 0 && commentsPosted === true) { |
| 680 | core.info('✅ Comments posted to PR by scan server'); |
| 681 | return; |
| 682 | } |
| 683 | |
| 684 | if (comments.length > 0) { |
| 685 | // commentsPosted is undefined - old server version |
| 686 | core.info('✅ Comments returned (server version does not indicate if posted)'); |
| 687 | return; |
| 688 | } |
| 689 | |
| 690 | core.info('✨ No vulnerabilities found!'); |
| 691 | } |
no test coverage detected
searching dependent graphs…