[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL failed to upload alerts and generated a error as "RequestError [HttpError]: Resource not accessible by integration" #1720

Open
hisashin0728 opened this issue Jun 8, 2023 · 2 comments
Open

CodeQL failed to upload alerts and generated a error as "RequestError [HttpError]: Resource not accessible by integration" #1720

hisashin0728 opened this issue Jun 8, 2023 · 2 comments

Comments

@hisashin0728
Copy link

Summary

CodeQL failed to upload alerts and generated a error as "RequestError [HttpError]: Resource not accessible by integration"

Details

CodeQL generted errors and can't upload sarif files to repositories.

RequestError [HttpError]: Resource not accessible by integration
    at D:\a\_actions\github\codeql-action\v2\node_modules\@octokit\request\dist-node\index.js:66:23
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Job.doExecute (D:\a\_actions\github\codeql-action\v2\node_modules\bottleneck\light.js:405:18) {
  status: 403,
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
    connection: 'close',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Mon, 05 Jun 2023 22:37:57 GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-api-version-selected': '2022-[11](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:12)-28',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': '1406:6C90:64E71DC:CEBA229:647E63C5',
    'x-ratelimit-limit': '1000',
    'x-ratelimit-remaining': '998',
    'x-ratelimit-reset': '1686008277',
    'x-ratelimit-resource': 'core',
    'x-ratelimit-used': '2',
    'x-xss-protection': '0'
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/hisashin0728/PoCMDCIaC/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/2.3.6 octokit-core.js/3.1.2 Node.js/16.16.0 (win32; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"workflow_run_id":5182535793,"workflow_run_attempt":1,"workflow_name":"MSDO windows-latest","job_name":"sample","analysis_key":".github/workflows/msdevopssec.yml:sample","commit_oid":"4c8fec07d611c3220[13](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:14)62fe9f39[14](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:15)82439446021","ref":"refs/heads/main","action_name":"upload-sarif","action_ref":"v2","action_oid":"unknown","started_at":"[20](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:21)23-06-05T[22](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:23):37:56.855Z","action_started_at":"20[23](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:24)-06-05T22:37:56.855Z","status":"starting","testing_environment":"","runner_os":"Windows","action_version":"2.3.6","matrix_vars":"null","runner_arch":"X64","runner_os_release":"10.0.20[34](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:35)8"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

Here is my configuration YAML file.

name: MSDO windows-latest
on:
  push:
    branches:
      - main

jobs:
  sample:
    name: Microsoft Security DevOps Analysis
    runs-on: windows-latest

    steps:

      # Checkout your code repository to scan
    - uses: actions/checkout@v3

      # Install dotnet, used by MSDO
    - uses: actions/setup-dotnet@v3
      with:
        dotnet-version: |
          5.0.x
          6.0.x

      # Run analyzers
    - name: Run Microsoft Security DevOps Analysis
      uses: microsoft/security-devops-action@preview
      id: msdo
      # For IaC Only
      with:
        categories: 'IaC'

      # Upload alerts to the Security tab
    - name: Upload alerts to Security tab
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

      # Upload alerts file as a workflow artifact
    - name: Upload alerts file as a workflow artifact
      uses: actions/upload-artifact@v3
      with:  
        name: alerts
        path: ${{ steps.msdo.outputs.sarifFile }}
@aeisenberg
Copy link
Contributor

Apologies for the late response here. Your workflow file will need to specify custom permissions. You can add this chunk at the top-level of the file:

permissions:
  actions: read
  contents: read
  security-events: write

@edgarrmondragon edgarrmondragon mentioned this issue Nov 13, 2023
Merged
@litaocdl litaocdl mentioned this issue Nov 17, 2023
Closed
4 tasks
rursprung added a commit to rust-embedded-community/tb6612fng-rs that referenced this issue Dec 13, 2023
@rursprung
CI: add security-events write permission
6f39f9c 
this fixes the failure encountered when trying to upload the SARIF
report during the CI run for the branch. in the PR it worked fine.

the fix was suggested here: github/codeql-action#1720 (comment)
@rursprung rursprung mentioned this issue Dec 13, 2023
Merged
@rursprung
Copy link

it'd be great if you could document that this is needed when running the build not just against PRs but also against branches (i run it against all PRs as well as the master branch). also, only security-events: write is needed, the rest can be left at its default.

when searching the documentation i only found something about dependabot, which clearly wasn't the case for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aeisenberg @rursprung @hisashin0728