ci: eclair: add SARIF summary step

nashif · nashif · commit a5645fb417c7 · 2026-05-27T09:38:25.000-04:00
Add scripts/ci/sarif_summary.py and a new 'Summarize SARIF results'
workflow step that runs after the scan and artifact upload.

The script reads results.sarif and:

- Writes a Markdown table to $GITHUB_STEP_SUMMARY, which surfaces on
  the GitHub Actions job summary page.  Rules are sorted by
  classification (mandatory first, then required, then advisory) and
  by descending violation count within each group.  The header shows
  the total violation count and the number of distinct rules triggered.

- Emits one ::notice:: workflow annotation per triggered rule so each
  rule ID, classification, description, and count appears in the
  Actions log viewer.

Both outputs are derived from the SARIF tool.driver.rules metadata
(fullDescription.text and properties.tags) and the per-result ruleId
counts.  The script handles multi-run SARIF files and falls back to
stdout when $GITHUB_STEP_SUMMARY is not set, making it usable locally
for inspection.

Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Anas Nashif &lt;anas.nashif@intel.com&gt;
diff --git a/.github/workflows/coding_guidelines_full.yml b/.github/workflows/coding_guidelines_full.yml
@@ -1,4 +1,4 @@
-name: Eclair Code Scanning
+name: Coding Guidelines Scanning
 on:
   push:
     branches:
@@ -161,6 +161,11 @@ jobs:
             DIAGNOSTIC.txt
             results_*.sarif
 
+      - name: Summarize SARIF results
+        if: always()
+        run: |
+          python3 scripts/ci/sarif_summary.py results.sarif
+
       # disabled for now
       # - name: Upload Analysis Results
       #   if: always()
diff --git a/scripts/ci/sarif_summary.py b/scripts/ci/sarif_summary.py
@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+# SPDX-FileCopyrightText: Copyright The Zephyr Project Contributors
+# SPDX-License-Identifier: Apache-2.0
+"""Generate a GitHub Actions step summary from a SARIF file.
+
+Reads the SARIF file produced by the ECLAIR scan and writes a Markdown
+table to $GITHUB_STEP_SUMMARY.  Also emits one ::notice:: workflow
+annotation per triggered rule so each rule appears in the Actions log
+with its violation count and description.
+
+Usage:
+    python3 scripts/ci/sarif_summary.py [results.sarif]
+"""
+
+import argparse
+import collections
+import json
+import os
+import sys
+
+
+def _tag_order(tag):
+    return {"mandatory": 0, "required": 1, "advisory": 2}.get(tag, 3)
+
+
+def parse_sarif(path):
+    """Return (counts, rule_meta) from *path*.
+
+    counts     -- Counter mapping ruleId -> total violation count
+    rule_meta  -- dict mapping ruleId -> {desc, tag}
+    """
+    with open(path, encoding="utf-8") as fh:
+        sarif = json.load(fh)
+
+    counts = collections.Counter()
+    rule_meta = {}
+
+    for run in sarif.get("runs", []):
+        for rule in run.get("tool", {}).get("driver", {}).get("rules", []):
+            rid = rule.get("id", "")
+            tags = rule.get("properties", {}).get("tags", [])
+            # Pick the most restrictive classification tag present.
+            tag = ""
+            for candidate in ("mandatory", "required", "advisory"):
+                if candidate in tags:
+                    tag = candidate
+                    break
+            rule_meta[rid] = {
+                "desc": rule.get("fullDescription", {}).get("text", rid),
+                "tag": tag,
+            }
+
+        for result in run.get("results", []):
+            rid = result.get("ruleId", "unknown")
+            counts[rid] += 1
+
+    return counts, rule_meta
+
+
+def write_summary(counts, rule_meta, out):
+    total = sum(counts.values())
+    n_rules = len(counts)
+
+    out.write("## :mag: ECLAIR MISRA Coding Guidelines Scan\n\n")
+    out.write(
+        f"> **Total violations:** {total:,} &nbsp;|&nbsp; "
+        f"**Rules triggered:** {n_rules}\n\n"
+    )
+
+    # Sort by tag priority then by count (descending within same tag).
+    sorted_rules = sorted(
+        counts.items(),
+        key=lambda kv: (_tag_order(rule_meta.get(kv[0], {}).get("tag", "")), -kv[1]),
+    )
+
+    out.write("| # | Rule ID | Classification | Violations | Description |\n")
+    out.write("|--:|---------|---------------|----------:|-------------|\n")
+    for idx, (rid, cnt) in enumerate(sorted_rules, 1):
+        m = rule_meta.get(rid, {})
+        tag = m.get("tag", "")
+        desc = m.get("desc", "")
+        out.write(f"| {idx} | `{rid}` | {tag} | {cnt:,} | {desc} |\n")
+
+
+def emit_annotations(counts, rule_meta):
+    """Emit one ``::notice::`` annotation per rule for the Actions log."""
+    for rid, cnt in sorted(counts.items(), key=lambda kv: -kv[1]):
+        m = rule_meta.get(rid, {})
+        desc = m.get("desc", rid)
+        tag = m.get("tag", "")
+        prefix = f"[{tag}] " if tag else ""
+        # Colons inside the message must be escaped so the annotation
+        # parser does not mis-identify them as property separators.
+        safe_desc = desc.replace("::", " ")
+        print(f"::notice title={rid}::{prefix}{safe_desc} — {cnt} violation(s)")
+
+
+def main():
+    ap = argparse.ArgumentParser(description=__doc__)
+    ap.add_argument(
+        "sarif",
+        nargs="?",
+        default="results.sarif",
+        help="Path to the SARIF file (default: results.sarif)",
+    )
+    ap.add_argument(
+        "--no-annotations",
+        action="store_true",
+        help="Skip emitting ::notice:: workflow command annotations",
+    )
+    args = ap.parse_args()
+
+    counts, rule_meta = parse_sarif(args.sarif)
+
+    summary_file = os.environ.get("GITHUB_STEP_SUMMARY")
+    if summary_file:
+        with open(summary_file, "a", encoding="utf-8") as fh:
+            write_summary(counts, rule_meta, fh)
+    else:
+        write_summary(counts, rule_meta, sys.stdout)
+
+    if not args.no_annotations:
+        emit_annotations(counts, rule_meta)
+
+
+if __name__ == "__main__":
+    main()
