Skip to content

ci(binskim): clean go/dotnet/rust configurations end-to-end#176

Merged
prsasattms merged 1 commit into
mainfrom
fix/binskim-go-dotnet-clean
Jun 3, 2026
Merged

ci(binskim): clean go/dotnet/rust configurations end-to-end#176
prsasattms merged 1 commit into
mainfrom
fix/binskim-go-dotnet-clean

Conversation

@prsasattms

Copy link
Copy Markdown
Collaborator

Cleans the BinSkim binskim-go configuration on the code-scanning page, which currently shows the warning "unsuccessful tool execution, exit code 0".

Root cause

BinSkim sets invocations[0].executionSuccessful = false when it can't load a PDB for the Go binary (ERR997.ExceptionLoadingPdb). Go's toolchain does not emit MSVC PDB files — this is the documented limitation, not a tool failure or a security finding. The Go security posture is enforced by the Go toolchain (govulncheck, runtime bounds-checking, W^X-by-default) rather than the MSVC linker switches BinSkim inspects.

Fix

  • scripts/security/filter_binskim_sarif.py — new _normalize_invocations step. Walks toolConfigurationNotifications, demotes notifications matching binskim_suppressions.json[invocation_notifications] from error to note (with an audit-trail suppressions entry), and flips executionSuccessful back to true when no error-level notifications remain.
  • scripts/security/binskim_suppressions.json — new invocation_notifications entry for ERR997.ExceptionLoadingPdb on omnivec.exe with a documented security justification.
  • .github/workflows/binskim.yml — wires the binskim-dotnet and binskim-go jobs through filter_binskim_sarif.py before SARIF upload (binskim-rust was already wired by ci(binskim): fix 'expected a result message' SARIF upload errors #175).

Verification

Tested locally against the actual SARIF artifact from the most recent failed run on main:

BinSkim filter: kept=0 suppressed=0 unsuppressed_fails_or_warnings=0 message_text_patched=0 notifications_demoted=1
executionSuccessful: True
notification levels: note

Rust SARIF re-tested for regression — still clean.

After this PR all three BinSkim configurations (dotnet / go / rust) should show clean with no errors and no warnings.

The BinSkim go configuration on main was showing the warning
'unsuccessful tool execution, exit code 0' because BinSkim sets
invocations[0].executionSuccessful=false when it can't load a PDB
for the Go binary (ERR997.ExceptionLoadingPdb). Go's toolchain does
not emit MSVC PDBs — this is the documented limitation, not a tool
failure or a security finding.

Changes:
- scripts/security/filter_binskim_sarif.py: new _normalize_invocations
  step. Walks toolConfigurationNotifications, demotes ones matching
  binskim_suppressions.json[invocation_notifications] from error to
  note (with audit-trail suppression entry), and flips
  executionSuccessful back to True when no error-level notifications
  remain.
- scripts/security/binskim_suppressions.json: add documented
  invocation_notifications entry for ERR997.ExceptionLoadingPdb on
  omnivec.exe with a security justification (Go security posture is
  enforced by Go toolchain + runtime, not by MSVC linker switches).
- .github/workflows/binskim.yml: wire binskim-dotnet and binskim-go
  jobs through filter_binskim_sarif.py before SARIF upload. Rust was
  already wired (PR #175).

After this PR all three configurations (binskim-dotnet, binskim-go,
binskim-rust) should show clean on the BinSkim configuration page
with no errors and no warnings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@prsasattms prsasattms merged commit 26e00cb into main Jun 3, 2026
@prsasattms prsasattms deleted the fix/binskim-go-dotnet-clean branch June 3, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants