`resultUrl` and `resultId` are always empty in SARIF report when `skip-upload` is not set

[tembleking]

Description

When running a scan with upload enabled (default behavior, skip-upload not set), the SARIF report always contains empty strings for resultUrl and resultId in the runs[0].properties section:

"properties": {
  "pullString": "...",
  "digest": "...",
  "resultUrl": "",
  "resultId": ""
}

These values should contain the Sysdig Secure scan result URL and ID, which are needed to navigate directly to the scan results in the Sysdig UI.

Steps to Reproduce

1. Configure the scan-action with upload enabled (do NOT set skip-upload: true)
2. Run the action:

- name: Run Sysdig Image Scan
  uses: sysdiglabs/scan-action@v6
  with:
    image-tag: ${{ inputs.image }}
    sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
    sysdig-secure-url: "https://us2.app.sysdig.com"
    stop-on-failed-policy-eval: false

3. Inspect the generated sarif.json file
4. Observe that resultUrl and resultId are empty strings

Expected Behavior

When upload is enabled, the SARIF report should contain the actual resultUrl and resultId values returned by the Sysdig CLI scanner, for example:

"resultUrl": "https://us2.app.sysdig.com/secure/#/vulnerabilities/results/18724ab53a1afb03ba696801d65fd660/overview",
"resultId": "18724ab53a1afb03ba696801d65fd660"

Root Cause

The CLI scanner returns these values in the JSON output (info.resultUrl and info.resultId), but:

1. The domain model ScanResult.Metadata class does not include these fields
2. SarifReportPresenter.ts hardcodes empty strings instead of using values from the scan result

Affected Files

• src/domain/scanresult/ScanResult.ts - Metadata class missing resultUrl and resultId
• src/infrastructure/github/SarifReportPresenter.ts:104-105 - hardcoded empty strings
• src/infrastructure/sysdig/JsonScanResultV1ToScanResultAdapter.ts - needs to pass these values

Version

v6.x (observed in v6.3.4)