You cannot upload a SARIF results file larger than 10 MB to code scanning. Explore ways to generate a smaller file containing the highest impact results.
About this errorSARIF file is too large
SARIF results file is too large
SARIF upload is rejected (bigger than allowed size for zip archive)
SARIF ZIP upload is too large
A fatal error occurred: SARIF file is too large
413: Payload Too Large
One of these errors is reported if a process attempts to upload a SARIF file that is larger than the maximum size of 10 MB. Code scanning does not accept files above this size. There are several different ways to reduce the number of results generated for upload to code scanning.
You could see this error for SARIF files generated by CodeQL or by third-party analysis tools. For information about the limits on uploads, see code scanning, see SARIF support for code scanning.
Confirming the cause of the errorThere are many potential causes of very large SARIF results files.
SARIF file compressionTake a look at the results file that was rejected by code scanning to see if:
If the file wasn't compressed using gzip, try compressing the file before rerunning the upload process. If the compressed file is still too large, you need to configure the analysis to generate a smaller set of results.
Amount of code analyzedIf you have too many results, you should configure analysis to analyze only the most important code.
If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for CodeQL analysis you could run just the default suite of queries. For more information, see Customizing your advanced setup for code scanning.
Number of results found by queriesSometimes a single query reports many results because the codebase has a specific coding style, or because the analysis does not understand a particular library. You can review the results file in a SARIF viewer to see the distribution of results. For example, https://microsoft.github.io/sarif-web-component/.
The following options are listed in order of complexity. You need to revise the configuration to reduce the number of results to a manageable size. Once you have fixed all of those alerts, you can update the configuration to expand the analysis to cover more code or run more queries.
Excluding code from analysis for interpreted languagesExcluding non-production code from analysis is a simple way to reduce the size of the results file.
paths and paths-ignore in the workflow file to specify what code to analyze. For more information, see Customizing your advanced setup for code scanning.database create: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the database create command to call this configuration file using the --codescanning-config option. For more information, see Customizing your advanced setup for code scanning.Using a build command that compiles only one variant is a simple way to reduce the size of the results file.
database create: specify your chosen build command either by calling the database create command with the --command option, or by defining the build command in a YAML configuration file for code scanning and calling the file using the --codescanning-config option. For more information, see Preparing your code for CodeQL analysis.You may already be running only the default security queries, but it is worth checking.
queries keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see Customizing your advanced setup for code scanning.database analyze: check the database analysis command for any paths that specify queries, query suites, or query packs. If none are present, then only the default query suite is run. If any are present, they define which queries to run, you can try removing them from the call. For more information, see Analyzing your code with CodeQL queries.If the results are dominated by the results for a single rule, excluding the rule from the analysis may be the best solution.
query-filters keyword to exclude one or more queries from analysis. For more information, see Customizing your advanced setup for code scanning.database analyze: update the database analysis command to exclude one or more queries from analysis. For more information, see Analyzing your code with CodeQL queries.Alternatively, you can use a tool like the filter-sarif action to rewrite the SARIF file to exclude specific detections via an exclusion pattern.
Omitting dataflow paths from the outputIf there are many deep code paths highlighted in the SARIF results, you can reduce the number of paths reported for each alert.
CodeQL advanced setup for code scanning: update the analyze step to limit the number of paths to a maximum of one or zero.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
env:
CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths", 1]}}'
CodeQL CLI database analyze: update the database analysis command to include the --max-paths=1 flag. For more information, see database analyze.
Note
The max-paths setting affects the results of all dataflow queries.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4