No

[mikhail-khodorovskiy]

No rules seem to be used when the default rules database is used.

Action setup:

      - name: Scan
        uses: clj-holmes/clj-holmes-action@main
        with:
     #     rules-repository: 'git://clj-holmes/clj-holmes-rules#main'
          output-type: 'sarif'
          output-file: 'clj-holmes-results.sarif'
          fail-on-result: 'false'
          verbose: 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.TOKEN }}

The results don't show the rules used and as a result the are no violations found.

{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"clj-holmes","informationUri":"https://github.com/clj-holmes/clj-holmes","version":"1.4.3","rules":[]}},"results":[]}]}

[jvaliente-ut]

I was having the same issue, so I install clj-holmes manually for debugging it. When scanning it, a parsing error arises, causing clj-holmes not triggering anything (it would be useful failing the scan step if parsing issues are detected).

Additionally, the sarif file rules field only contains the rules detected in your code. In other words, if the rules provided doesn't match anything in your code then nothing will be shown in the rules field (I intentionally introduced https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/clojure-weak-ssl-context/weak_context.clj to test it out)