Fails to upload SARIF when a scanning report is too large

[mpoberezhniy]

Type of issue

Bug Report

Description

When is triggered on default branch push the following error occurs.

🥳 No defects added. Yay!

❌ Failed to upload the SARIF report to GitHub
/action/functions.sh: line 318: /usr/bin/curl: Argument list too long

Assumed cause:
Curl could not process a large SARIF report passed as a cli argument. In my case the report was saved and it is 226194 lines long.

-d '{"commit_oid":"'"${HEAD}"'","ref":"'"${GITHUB_REF//merge/head}"'","analysis_key":"differential-shellcheck","sarif":"'"$(gzip -c output.sarif | base64 -w0)"'","tool_names":["differential-shellcheck"]}'

Describe the solution you'd like

The report is uploaded successfully. Potentially getting the data from a file.

[jamacku]

GitHub limits the size of the SARIF file to 10MB, but based on your number of lines, it seems like 0.2MB. Am I correct?

For each gzip-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries. For more information, see "SARIF results file is too large."

Could you please provide the workflow in which you are running Differential ShellCheck?

[mpoberezhniy]

I checked the output.sarif size and it happens to be 10784 KB which just exceeds the limit that I did not know about.

The workflow yaml is as follows.

name: Differential ShellCheck
on:
  push:
    branches: [ master ]
  pull_request:

permissions:
  contents: read
  pull-requests: write

jobs:
  lint:
    runs-on: ubuntu-latest

    permissions:
      security-events: write
      actions: read
      contents: read

    steps:
      - name: Repository checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - id: ShellCheck
        name: Differential ShellCheck
        uses: redhat-plumbers-in-action/differential-shellcheck@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - if: ${{ always() }}
        name: Upload artifact with ShellCheck defects in SARIF format
        uses: actions/upload-artifact@v4
        with:
          name: Differential ShellCheck SARIF
          path: ${{ steps.ShellCheck.outputs.sarif }}

[mpoberezhniy]

I tried minimizing the output.sarif file by removing white spaces (as curl should do with the data) and now it is 2.6 MB.

[mpoberezhniy]

Checked the gzipped output sarif and it is 0.3 MB. The gzipped minimized sarif is 0.1 MB.

$ du -h output.sarif
11M	output.sarif
$ gzip -c output.sarif | base64 -w0 > gzipped.sarif
$ du -h gzipped.sarif 
292K	gzipped.sarif
$ gzip -c output.sarif.min | base64 -w0 > gzipped.sarif.min
$ du -h gzipped.sarif.min 
112K	gzipped.sarif.min

I apologise for the distraction with the file sizes.

[jamacku]

Thank you for the report and the fix. I'll try to release a new version today.

The workflow looks ok. But I think permissions: pull-requests: write is unnecessary, at least for public repositories.

[mpoberezhniy]

Thanks. I will try removing permissions: pull-requests: write.