Closed agateau-gg closed 1 week ago
For the multi match secret it does not seem ideal but it is probably the best we can do. Do we know how Github Advance security & others displays those with SARIF format ?
I have no idea :/
I tested with the validator and pycharm extension it looks good to me !
Oh, I could not find a Pycharm extension! Need to look again.
Context
This PR adds support for generating reports in SARIF format when scanning for secrets.
See #869.
What has been done
The PR first introduces a
--format (text|json)
option, and make existing commands use it.--format json
is a more verbose version of--json
, but it makes it possible to add new formats without adding a new flag for each format.Then it introduces a
sarif
value for--format
. This value is only used bysecret scan
commands for now. Adding it to other verticals will be done separately.Representing multi-match secrets in SARIF output
There is a bit of an impedance mismatch between ggshield secret output and SARIF output. A SARIF result is supposed to have one location, but a secret often contains multiple matches, so each match needs to be a separate location. To reconcile this, the result location starts at the start of the first match and ends at the end of the last match. Then each match is added as a "related" location.
This can be seen in this screenshot of a GitHub import of a ggshield SARIF document:
I am open to suggestions regarding better ways to represent multi-match secrets.
Validation
The code can be tested in different ways.
The first thing is to generate some SARIF report. This can be done with a command like this:
Then you can try to use the generated report in different places:
PR check list
skip-changelog
label has been added to the PR.