Hi,

I was looking at introducing the Anchore container scanning via GitHub Actions into a workflow that triggers the scanning and and uploading of the SARIF report to be triggered off the event of a registry package being uploaded.

The reason for wanting to do this outside of the standard pattern with respect to code scanning examples that currently exist, is that it can be an expensive operation and I want to scan every image that we publish to a registry asynchronously from the build/publish process.

The problem that I have hit in this regard is that the github/codeql-action/upload-sarif@v1 action is using git command line invocation, identified in the failed output of the action:

Automatically detected languages: ["java","javascript"]
Uploading results
  fatal: not a git repository (or any of the parent directories): .git
  ##[error]The process 'git' failed with exit code 128

It would be good to be able to provide a sarif report by providing the necessary details as input parameters on the action that this action invocation is trying to resolve from the underlying git repository.