ci: Report results from CIFuzz using SARIF

Upload results from CIFuzz using SARIF.
This will allow CIFuzz to report issues in the security tab.
This is a better UI than having to look through logs.
TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs.

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index be22f7c35a6060455ad21aa76d3985e0c9888108..8cf10a2d7e610ff3056ecda9062820f1c1eb8b46 100644 (file)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -35,6 +35,9 @@ jobs:
         include:
           - sanitizer: address
             architecture: i386
+    permissions:
+      security-events: write
+
     steps:
       - name: Build Fuzzers (${{ matrix.sanitizer }})
         id: build
@@ -47,6 +50,7 @@ jobs:
           keep-unaffected-fuzz-targets: true
           sanitizer: ${{ matrix.sanitizer }}
           architecture: ${{ matrix.architecture }}
+          output-sarif: true
       - name: Run Fuzzers (${{ matrix.sanitizer }})
         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
         with:
@@ -54,9 +58,17 @@ jobs:
           fuzz-seconds: 600
           dry-run: false
           sanitizer: ${{ matrix.sanitizer }}
+          output-sarif: true
       - name: Upload Crash
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
         if: failure() && steps.build.outcome == 'success'
         with:
           name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
           path: ./out/artifacts
+      - name: Upload Sarif
+        if: always() && steps.build.outcome == 'success'
+        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cifuzz-sarif/results.sarif
+          checkout_path: cifuzz-sarif