






















@@ -147,6 +147,42 @@ jobs:
147147run: swift build --package-path apps/macos --product OpenClaw
148148149149 - name: Analyze
150+id: analyze
150151uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
151152with:
153+output: sarif-results
154+upload: failure-only
155+category: "/codeql-critical-security/macos"
156+157+ - name: Remove dependency build results
158+env:
159+SARIF_OUTPUT: ${{ steps.analyze.outputs.sarif-output }}
160+run: |
161+ set -euo pipefail
162+ mkdir -p sarif-results-filtered
163+164+ found=0
165+ for file in "$SARIF_OUTPUT"/*.sarif; do
166+ if [ ! -e "$file" ]; then
167+ continue
168+ fi
169+170+ found=1
171+ jq '
172+ def in_dependency_build:
173+ any(.locations[]?; (.physicalLocation.artifactLocation.uri? // "") | test("(^|/)\\.build/"));
174+175+ .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
176+ ' "$file" > "sarif-results-filtered/$(basename "$file")"
177+ done
178+179+ if [ "$found" -eq 0 ]; then
180+ echo "No SARIF files found in $SARIF_OUTPUT" >&2
181+ exit 1
182+ fi
183+184+ - name: Upload filtered SARIF
185+uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
186+with:
187+sarif_file: sarif-results-filtered
152188category: "/codeql-critical-security/macos"
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。