search

Azure / container-scan

A GitHub action to help you scan your docker image for vulnerabilities
MIT License
218 stars 41 forks source link

SARIF support? #95

Open robert-scheck opened 2 years ago

robert-scheck commented 2 years ago

Is there any chance for SARIF support (SARIF-compatible output file)? That would allow to use github/codeql-action/upload-sarif@v1 in workflows, e.g.:

- name: Upload SARIF report
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: ${{ steps.scan.outputs.sarif }}

See also: https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/uploading-a-sarif-file-to-github

ajinkya599 commented 2 years ago

@pulkitaggarwl - Seeking your thoughts on this feature request.

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

pulkitaggarwl commented 2 years ago

thanks @robert-scheck for raising the ask. we dont have this as part of our backlog currently. would you be willing to contribute to the action to add this functionality.

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

robert-scheck commented 2 years ago

@pulkitaggarwl, I would have contributed this already, if I would have been able to implement it myself. As of writing I'm using now aquasecurity/trivy-action@master directly.

rm3l commented 2 years ago

Hi there ! I was also interested in this feature. Before seeing this issue, I set out to build this other Action to convert the output to SARIF. It should therefore be possible to support SARIF and upload the output to GitHub Code Scanning, by adding a new step in your Workflows, like so:

- name: Scan Container Image
  id: scan
  uses: Azure/container-scan@v0.1
  with:
    image-name: my-container-image

- name: Convert Container Scan Report to SARIF
  id: scan-to-sarif
  uses: rm3l/container-scan-to-sarif-action@v1
  if: ${{ always() }}
  with:
    input-file: ${{ steps.scan.outputs.scan-report-path }}

- name: Upload SARIF reports to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v1
  if: ${{ always() }}
  with:
    sarif_file: ${{ steps.scan-to-sarif.outputs.sarif-report-path }}

Let me know your thoughts about this.

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

larryclaman commented 2 years ago

+1 to this request; would like to see sarif output so I can upload the results to GitHub Advanced Security. I would imagine that it would be trivial to add this feature, as this action uses the trivy scanning engine, and there's another trivy scanning action that indeed has sarif output: https://github.com/aquasecurity/trivy-action

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.