When GitHub Advanced Security is unavailable, such as in private repositories, or organizations who do not have a license. The CodeQL action will fail to upload the report.

We should document how to use the SARIF file in a GitHub Actions Workflow to report on failures whens GHAS is unavailable

This happens because the docker workspace doesn't match the default workspace for GHA I think its to do with the mapping from /home/runner:/github/workspace that happens when we checkout gets mapped in the Dockerfile.

When it comes back from Docker to the Actions Runner, actions sets the workspace root is /home/runner

The action doesn't run in remote repositories.

When github actions pulls the source it does not create a git repository. pip install then fails because setuptools-scm needs to be run from a git repository / released tarball.

rather than just converting to SARIF generating diagnostics in the Language Server Protocol format?

We're using setuptools scm to set the package version from git tag.
We also use an action to add a major version tag on release - if it see a tag v0.0.1 a v0 tag gets created.

It looks like setuptools scm is grabbing the major version tag, we auto-create, as evidenced by having version 0 published on pypi and not v0.1.0

We going to use nox

https://hynek.me/articles/why-i-like-nox/

Many cases IAM Policy templates use template strings that are then filled in at compile time. In their raw template state they won't validate successfully against AWS APIs.

It would be useful to inject values for Policy Template strings used in the following IaC tools

terraform templatefile (interpolation, not directives)
cloudformation (!Sub function)

they both have the same interpolation syntax
${key}

CloudFormation has some builtin PseudoParameters like ${AWS::Region} as wel

As a first pass the templating context should require the literal String use within the interpolation, so the lookup will always be a str -> str. Won't support looking up against an object.

{
"key.xyz": "key-was-a-string"
}

What about Conditionals in terraform?
https://www.terraform.io/language/configuration-0-11/interpolation#conditionals
We believe conditionals should be evaluated outside of the scope of a Policy template.

the context, a simple str -> str map should be supplied when iam-sarif-report is called. This should be from either a file or command line parameters

Policy Variables

          "sns:endpoint": "https://example.com/${aws:username}/"

IAM supports its own interpolation too using Policy Variables

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse

any render would have to be to avoid interpolation of these

Instead of generating a SARIF per file multiple input files should be able to passed and produce a combined SARIF result.

On the CLI

iam-sarif-report [FILES...] [OUTPUT]

This would simplify tools that consume the SARIF and allow for the shell to handle file selection

the CLI assumes the final input file is the output file and overwrites the it with the output

Hello,
I am using your action on IAM Validation, and I have found this message below:

The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

I am raising this just to make you aware of it and check if you plan to update it in the future.